neconyd | cca5bae745f26916c8595dd8ed9dac07186605df75c5253af2ae050607c645c7

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

68c8f462babd495fdf40e20ad442fae3
SHA1

b7fb3b288cd15faf9834257f037a371c14bf00ea
SHA256

cca5bae745f26916c8595dd8ed9dac07186605df75c5253af2ae050607c645c7
SHA512

3caa921e73fc076791044eead2c434c7e5e537232ad9ced193c61aac473c0e58e0ea5e46648cd7d9a90403230fa89abf04148bc7de465b124ade6d5732419446
SSDEEP

1536:EDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:aiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1888	omsecor.exe
5392	omsecor.exe
3388	omsecor.exe
5896	omsecor.exe
748	omsecor.exe
1984	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 1888 set thread context of 5392	1888	omsecor.exe	91
PID 3388 set thread context of 5896	3388	omsecor.exe	116
PID 748 set thread context of 1984	748	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4440	1888	WerFault.exe	90
2948	5044	WerFault.exe	86
5128	3388	WerFault.exe	115
5148	748	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 5044 wrote to memory of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 5044 wrote to memory of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 5044 wrote to memory of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 5044 wrote to memory of 2228	5044	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	87
PID 2228 wrote to memory of 1888	2228	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	90
PID 2228 wrote to memory of 1888	2228	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	90
PID 2228 wrote to memory of 1888	2228	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	90
PID 1888 wrote to memory of 5392	1888	omsecor.exe	91
PID 1888 wrote to memory of 5392	1888	omsecor.exe	91
PID 1888 wrote to memory of 5392	1888	omsecor.exe	91
PID 1888 wrote to memory of 5392	1888	omsecor.exe	91
PID 1888 wrote to memory of 5392	1888	omsecor.exe	91
PID 5392 wrote to memory of 3388	5392	omsecor.exe	115
PID 5392 wrote to memory of 3388	5392	omsecor.exe	115
PID 5392 wrote to memory of 3388	5392	omsecor.exe	115
PID 3388 wrote to memory of 5896	3388	omsecor.exe	116
PID 3388 wrote to memory of 5896	3388	omsecor.exe	116
PID 3388 wrote to memory of 5896	3388	omsecor.exe	116
PID 3388 wrote to memory of 5896	3388	omsecor.exe	116
PID 3388 wrote to memory of 5896	3388	omsecor.exe	116
PID 5896 wrote to memory of 748	5896	omsecor.exe	118
PID 5896 wrote to memory of 748	5896	omsecor.exe	118
PID 5896 wrote to memory of 748	5896	omsecor.exe	118
PID 748 wrote to memory of 1984	748	omsecor.exe	120
PID 748 wrote to memory of 1984	748	omsecor.exe	120
PID 748 wrote to memory of 1984	748	omsecor.exe	120
PID 748 wrote to memory of 1984	748	omsecor.exe	120
PID 748 wrote to memory of 1984	748	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5392
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5896
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 268
        8⤵
        Program crash
        
        PID:5148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 296
        6⤵
        Program crash
        
        PID:5128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 288
      4⤵
      Program crash
      PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 288
  2⤵
  - Program crash
  PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5044 -ip 5044
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3388 -ip 3388
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 748 -ip 748
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
7cb457502bb7c9fdd90701b3ae3ba95c

SHA1
4c237f5efcc88cefa1264cae0f319f2087dc08aa

SHA256
28357094eda83967be15c6f1abd33f6e45842fe6da3f2e1401b26637b3f941e9

SHA512
316ccaa2a98fe3218d9db2ed33541deff7543751067bd0882ab519ffc7b1d6deaa405badea93315a8840547ba9bd4e4904be5fd814bd514e95d52c2e945a7e22

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
a09296d6854599075f323d8e9d58ed63

SHA1
82ed35b3d658d608cdb81c814908fc8ac953fcbc

SHA256
fec506ef8b64e9c6e35b86fd71c28df1b6a8edb68fa85e7e56ae158e239923ed

SHA512
c5a51879d55778ed3cd3a2cb51bc135a837e943474f2b5e22eff88ea33be3389cae343ce67b464382aba232a4846ec0b8c27f7d94cd097164fce393d95fe8e0f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
3bc72be5b5664a7a620808ea008d8e61

SHA1
9e86fe062e216b7aebfc6fbe328ad7232c8acb4d

SHA256
97f645902a2662c5f9bcfc05fa5f21c623e869e8e3c6933631a5943162164e80

SHA512
46b9a4192a6f6b666d5693b686dcfea0264c4cd0fc9f995bb09f2cc387e4a04d7e36cc4c90455880afe3f13b1a1ad7b6c549fcff1060ef8d3d12f1558c441954

Download Submit
memory/748-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/748-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1984-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1984-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1984-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3388-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3388-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5044-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5044-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5392-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5392-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5896-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5896-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5896-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download