neconyd | 64a97c2c5d777bd0121f7e6783103cdd931c3e4a9331724a13a8eb5b0f5f1cf9

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

7ccf748e802c7454801451137f4c6914
SHA1

334294b4f37e702568feca00fafd35d725942d03
SHA256

64a97c2c5d777bd0121f7e6783103cdd931c3e4a9331724a13a8eb5b0f5f1cf9
SHA512

c2a3c5a58ad62059382da95a05397e37441d615e55fd0aa25131efa4daddfddd4cca5c062ca61d15e359e9c13d731dd715b68fc0e39f927e900017c79b225a14
SSDEEP

1536:yDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi/:kiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3796	omsecor.exe
3212	omsecor.exe
2512	omsecor.exe
4376	omsecor.exe
3852	omsecor.exe
1584	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 3796 set thread context of 3212	3796	omsecor.exe	90
PID 2512 set thread context of 4376	2512	omsecor.exe	116
PID 3852 set thread context of 1584	3852	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3660	4312	WerFault.exe	85
2852	3796	WerFault.exe	88
3532	2512	WerFault.exe	115
4976	3852	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 4312 wrote to memory of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 4312 wrote to memory of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 4312 wrote to memory of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 4312 wrote to memory of 2320	4312	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	86
PID 2320 wrote to memory of 3796	2320	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 2320 wrote to memory of 3796	2320	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 2320 wrote to memory of 3796	2320	2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe	88
PID 3796 wrote to memory of 3212	3796	omsecor.exe	90
PID 3796 wrote to memory of 3212	3796	omsecor.exe	90
PID 3796 wrote to memory of 3212	3796	omsecor.exe	90
PID 3796 wrote to memory of 3212	3796	omsecor.exe	90
PID 3796 wrote to memory of 3212	3796	omsecor.exe	90
PID 3212 wrote to memory of 2512	3212	omsecor.exe	115
PID 3212 wrote to memory of 2512	3212	omsecor.exe	115
PID 3212 wrote to memory of 2512	3212	omsecor.exe	115
PID 2512 wrote to memory of 4376	2512	omsecor.exe	116
PID 2512 wrote to memory of 4376	2512	omsecor.exe	116
PID 2512 wrote to memory of 4376	2512	omsecor.exe	116
PID 2512 wrote to memory of 4376	2512	omsecor.exe	116
PID 2512 wrote to memory of 4376	2512	omsecor.exe	116
PID 4376 wrote to memory of 3852	4376	omsecor.exe	118
PID 4376 wrote to memory of 3852	4376	omsecor.exe	118
PID 4376 wrote to memory of 3852	4376	omsecor.exe	118
PID 3852 wrote to memory of 1584	3852	omsecor.exe	120
PID 3852 wrote to memory of 1584	3852	omsecor.exe	120
PID 3852 wrote to memory of 1584	3852	omsecor.exe	120
PID 3852 wrote to memory of 1584	3852	omsecor.exe	120
PID 3852 wrote to memory of 1584	3852	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_7ccf748e802c7454801451137f4c6914_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 268
        8⤵
        Program crash
        
        PID:4976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 296
        6⤵
        Program crash
        
        PID:3532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 300
      4⤵
      Program crash
      PID:2852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 288
  2⤵
  - Program crash
  PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4312 -ip 4312
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3796 -ip 3796
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2512 -ip 2512
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3852 -ip 3852
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
5f2320e80a89036383b741352d34bec1

SHA1
c4b4071a25821a05c3acc8a548289aedae3c2e6e

SHA256
b91b29015e287321cc32a9dba4dbb3d165d99e796bc9204ee4944df1c52232fa

SHA512
af6dbe2e5da84ed844178ca4abfc7258ba00224ed1d2e351636f26ea3a0324ea0a0f446cad207b4f22d8bf6170a1ce76bda4aee35b91e09f746c96a915ce0901

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
20d2f9816feeacd2e7c0db600901caaf

SHA1
f5bbed985260237e0f6e79b64986086f8e55a975

SHA256
8edea95f41318f29d10bbb8bcebbeb74a72bedce60a514a73427da918ae183b4

SHA512
d78419e863ebc0fb456b42ad6912d50e649053d5f0fb3d76d6aa55c02d55f9d60ff8fefd29aca776f8841ecba2cb62f89e16c538628830bf5c49086090b8f6f7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
482f50af4ad392c0ff882172caf96fa7

SHA1
360b8f8765e042dd8950c9a21e80d7f9b590201b

SHA256
454a7399b07c6b18bcbc6acef855337b8696c00064c1e864cd10c81197ffb0f8

SHA512
e7d185636ac2127da60f3b2832a42a93d2c9e133f68d434a890fa005647f40c227e25c1021162b239290de77522c29e681d1414e13db767bdd0e7baad7d6da63

Download Submit
memory/1584-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1584-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1584-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1584-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2512-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3212-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3796-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3796-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3852-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4312-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4312-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4376-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4376-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4376-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download