neconyd | 64a97c2c5d777bd0121f7e6783103cdd931c3e4a9331724a13a8eb5b0f5f1cf9

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

7ccf748e802c7454801451137f4c6914
SHA1

334294b4f37e702568feca00fafd35d725942d03
SHA256

64a97c2c5d777bd0121f7e6783103cdd931c3e4a9331724a13a8eb5b0f5f1cf9
SHA512

c2a3c5a58ad62059382da95a05397e37441d615e55fd0aa25131efa4daddfddd4cca5c062ca61d15e359e9c13d731dd715b68fc0e39f927e900017c79b225a14
SSDEEP

1536:yDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi/:kiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
956	omsecor.exe
2020	omsecor.exe
3308	omsecor.exe
3864	omsecor.exe
4672	omsecor.exe
3832	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 956 set thread context of 2020	956	omsecor.exe	91
PID 3308 set thread context of 3864	3308	omsecor.exe	119
PID 4672 set thread context of 3832	4672	omsecor.exe	123

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3544	3116	WerFault.exe	85
3008	956	WerFault.exe	88
4804	3308	WerFault.exe	118
804	4672	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 3116 wrote to memory of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 3116 wrote to memory of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 3116 wrote to memory of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 3116 wrote to memory of 1992	3116	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 1992 wrote to memory of 956	1992	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 1992 wrote to memory of 956	1992	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 1992 wrote to memory of 956	1992	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 956 wrote to memory of 2020	956	omsecor.exe	91
PID 956 wrote to memory of 2020	956	omsecor.exe	91
PID 956 wrote to memory of 2020	956	omsecor.exe	91
PID 956 wrote to memory of 2020	956	omsecor.exe	91
PID 956 wrote to memory of 2020	956	omsecor.exe	91
PID 2020 wrote to memory of 3308	2020	omsecor.exe	118
PID 2020 wrote to memory of 3308	2020	omsecor.exe	118
PID 2020 wrote to memory of 3308	2020	omsecor.exe	118
PID 3308 wrote to memory of 3864	3308	omsecor.exe	119
PID 3308 wrote to memory of 3864	3308	omsecor.exe	119
PID 3308 wrote to memory of 3864	3308	omsecor.exe	119
PID 3308 wrote to memory of 3864	3308	omsecor.exe	119
PID 3308 wrote to memory of 3864	3308	omsecor.exe	119
PID 3864 wrote to memory of 4672	3864	omsecor.exe	121
PID 3864 wrote to memory of 4672	3864	omsecor.exe	121
PID 3864 wrote to memory of 4672	3864	omsecor.exe	121
PID 4672 wrote to memory of 3832	4672	omsecor.exe	123
PID 4672 wrote to memory of 3832	4672	omsecor.exe	123
PID 4672 wrote to memory of 3832	4672	omsecor.exe	123
PID 4672 wrote to memory of 3832	4672	omsecor.exe	123
PID 4672 wrote to memory of 3832	4672	omsecor.exe	123

C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 256
        8⤵
        Program crash
        
        PID:804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 292
        6⤵
        Program crash
        
        PID:4804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 288
      4⤵
      Program crash
      PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 288
  2⤵
  - Program crash
  PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3116 -ip 3116
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 956 -ip 956
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3308 -ip 3308
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4672 -ip 4672
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
aa67b7f525c898f4397242630a39aabd

SHA1
366bf21feab480e6a9cfda76b4ca8cdb192334c7

SHA256
dc3abb78239f65b32f4f54ec6f6d518dae509375bbd0af56e73883bf2775c5dc

SHA512
d61ba3c823e3a426ea2f922c918f445e5e7f243592f4e9786dc6a8b4731517c175ae69c79ba5874be413c370fd8a9305673ea4b5facaede70997324b336e4421

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
20d2f9816feeacd2e7c0db600901caaf

SHA1
f5bbed985260237e0f6e79b64986086f8e55a975

SHA256
8edea95f41318f29d10bbb8bcebbeb74a72bedce60a514a73427da918ae183b4

SHA512
d78419e863ebc0fb456b42ad6912d50e649053d5f0fb3d76d6aa55c02d55f9d60ff8fefd29aca776f8841ecba2cb62f89e16c538628830bf5c49086090b8f6f7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
17c89c71b00bd509f8c3ddbef3d5166e

SHA1
2f0c9458555802efccacf3d944faaa2a17c367e7

SHA256
3b2295b353545853f243d7427c35c2b1dde76a3307b5e5ae0a811047cd12474a

SHA512
c1d87dee3d89df456659a68b48f4aa13603209bb71d23fa2a654162579ecea262429c48e8844aaa6515c2d0a74c5b72c3826c4b5cff8c2323a2fba1cfcfa9f7f

Download Submit
memory/956-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1992-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3116-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3116-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3308-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3308-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3832-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3832-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3832-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3832-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download