neconyd | cca5bae745f26916c8595dd8ed9dac07186605df75c5253af2ae050607c645c7

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

68c8f462babd495fdf40e20ad442fae3
SHA1

b7fb3b288cd15faf9834257f037a371c14bf00ea
SHA256

cca5bae745f26916c8595dd8ed9dac07186605df75c5253af2ae050607c645c7
SHA512

3caa921e73fc076791044eead2c434c7e5e537232ad9ced193c61aac473c0e58e0ea5e46648cd7d9a90403230fa89abf04148bc7de465b124ade6d5732419446
SSDEEP

1536:EDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:aiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2728	omsecor.exe
4424	omsecor.exe
1936	omsecor.exe
5532	omsecor.exe
3708	omsecor.exe
5928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5204 set thread context of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 2728 set thread context of 4424	2728	omsecor.exe	94
PID 1936 set thread context of 5532	1936	omsecor.exe	117
PID 3708 set thread context of 5928	3708	omsecor.exe	121

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1524	5204	WerFault.exe	88
2340	2728	WerFault.exe	92
5828	1936	WerFault.exe	116
4520	3708	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5204 wrote to memory of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 5204 wrote to memory of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 5204 wrote to memory of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 5204 wrote to memory of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 5204 wrote to memory of 5552	5204	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	89
PID 5552 wrote to memory of 2728	5552	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	92
PID 5552 wrote to memory of 2728	5552	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	92
PID 5552 wrote to memory of 2728	5552	2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe	92
PID 2728 wrote to memory of 4424	2728	omsecor.exe	94
PID 2728 wrote to memory of 4424	2728	omsecor.exe	94
PID 2728 wrote to memory of 4424	2728	omsecor.exe	94
PID 2728 wrote to memory of 4424	2728	omsecor.exe	94
PID 2728 wrote to memory of 4424	2728	omsecor.exe	94
PID 4424 wrote to memory of 1936	4424	omsecor.exe	116
PID 4424 wrote to memory of 1936	4424	omsecor.exe	116
PID 4424 wrote to memory of 1936	4424	omsecor.exe	116
PID 1936 wrote to memory of 5532	1936	omsecor.exe	117
PID 1936 wrote to memory of 5532	1936	omsecor.exe	117
PID 1936 wrote to memory of 5532	1936	omsecor.exe	117
PID 1936 wrote to memory of 5532	1936	omsecor.exe	117
PID 1936 wrote to memory of 5532	1936	omsecor.exe	117
PID 5532 wrote to memory of 3708	5532	omsecor.exe	119
PID 5532 wrote to memory of 3708	5532	omsecor.exe	119
PID 5532 wrote to memory of 3708	5532	omsecor.exe	119
PID 3708 wrote to memory of 5928	3708	omsecor.exe	121
PID 3708 wrote to memory of 5928	3708	omsecor.exe	121
PID 3708 wrote to memory of 5928	3708	omsecor.exe	121
PID 3708 wrote to memory of 5928	3708	omsecor.exe	121
PID 3708 wrote to memory of 5928	3708	omsecor.exe	121

C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_68c8f462babd495fdf40e20ad442fae3_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5552
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 256
        8⤵
        Program crash
        
        PID:4520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 292
        6⤵
        Program crash
        
        PID:5828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 288
      4⤵
      Program crash
      PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 288
  2⤵
  - Program crash
  PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5204 -ip 5204
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2728 -ip 2728
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1936 -ip 1936
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3708 -ip 3708
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
178b1d88696cf23563f1d3f2b84e0f37

SHA1
9d6cebc8f8ac78235199852c88d39a3b101b5a4d

SHA256
98a08aef0b04a0428c7f1cf5776ac9b3dec8d67637b4deca0c31abcc8c333fd5

SHA512
0a88b27d2799d8fd771a3bd0970d7b640ef71d2bb46d895fbc03b95b5f3007c0b4e71d49706d70a174e720bead957f7ad8e0f064ff16257268844c290bcee178

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
a09296d6854599075f323d8e9d58ed63

SHA1
82ed35b3d658d608cdb81c814908fc8ac953fcbc

SHA256
fec506ef8b64e9c6e35b86fd71c28df1b6a8edb68fa85e7e56ae158e239923ed

SHA512
c5a51879d55778ed3cd3a2cb51bc135a837e943474f2b5e22eff88ea33be3389cae343ce67b464382aba232a4846ec0b8c27f7d94cd097164fce393d95fe8e0f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
01ddb6c00f693b9588fb46ca1ed7126f

SHA1
a4a6f9057106cfb860ed9c7450eedcc629adf37c

SHA256
88c08a75a3c29f3c89c46a4a0e9a92e90b4cec514080d57bdf64f6b1a11d8cb0

SHA512
a13d1d298ffb89922bebea5889b520612b361a17098e3758894e6cb4c7c249c30559c452945504bb45d204ee1537221ecbb4c926a0ff586d0525af68d530c5af

Download Submit
memory/1936-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3708-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4424-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4424-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5204-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5204-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5532-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5532-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5532-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5552-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5552-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5552-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5552-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5928-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5928-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5928-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5928-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download