neconyd | 3b36344499f87e3e74f4ac3d2d03527d2fc3cec061c24534577dbfedbaa72948

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

dc7a833f8a7f035ca0e2b6359ceea716
SHA1

43382e06877f25067b3068528fbd36a73b7b68ce
SHA256

3b36344499f87e3e74f4ac3d2d03527d2fc3cec061c24534577dbfedbaa72948
SHA512

5d7818ea02cfa759a2478af427e9614d0e13c41e56a7bb7a255b6197798c42518ab98a56767efbc15fbd9dbca094d382aac8353b0f17e06e2b28278a5935a7b4
SSDEEP

1536:uDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:QiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2964	omsecor.exe
4224	omsecor.exe
712	omsecor.exe
1788	omsecor.exe
1576	omsecor.exe
1292	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5156 set thread context of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 2964 set thread context of 4224	2964	omsecor.exe	90
PID 712 set thread context of 1788	712	omsecor.exe	115
PID 1576 set thread context of 1292	1576	omsecor.exe	119

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4336	2964	WerFault.exe	88
2304	5156	WerFault.exe	85
4744	712	WerFault.exe	114
5996	1576	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5156 wrote to memory of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 5156 wrote to memory of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 5156 wrote to memory of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 5156 wrote to memory of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 5156 wrote to memory of 3172	5156	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	86
PID 3172 wrote to memory of 2964	3172	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	88
PID 3172 wrote to memory of 2964	3172	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	88
PID 3172 wrote to memory of 2964	3172	2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe	88
PID 2964 wrote to memory of 4224	2964	omsecor.exe	90
PID 2964 wrote to memory of 4224	2964	omsecor.exe	90
PID 2964 wrote to memory of 4224	2964	omsecor.exe	90
PID 2964 wrote to memory of 4224	2964	omsecor.exe	90
PID 2964 wrote to memory of 4224	2964	omsecor.exe	90
PID 4224 wrote to memory of 712	4224	omsecor.exe	114
PID 4224 wrote to memory of 712	4224	omsecor.exe	114
PID 4224 wrote to memory of 712	4224	omsecor.exe	114
PID 712 wrote to memory of 1788	712	omsecor.exe	115
PID 712 wrote to memory of 1788	712	omsecor.exe	115
PID 712 wrote to memory of 1788	712	omsecor.exe	115
PID 712 wrote to memory of 1788	712	omsecor.exe	115
PID 712 wrote to memory of 1788	712	omsecor.exe	115
PID 1788 wrote to memory of 1576	1788	omsecor.exe	117
PID 1788 wrote to memory of 1576	1788	omsecor.exe	117
PID 1788 wrote to memory of 1576	1788	omsecor.exe	117
PID 1576 wrote to memory of 1292	1576	omsecor.exe	119
PID 1576 wrote to memory of 1292	1576	omsecor.exe	119
PID 1576 wrote to memory of 1292	1576	omsecor.exe	119
PID 1576 wrote to memory of 1292	1576	omsecor.exe	119
PID 1576 wrote to memory of 1292	1576	omsecor.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5156
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_dc7a833f8a7f035ca0e2b6359ceea716_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 256
        8⤵
        Program crash
        
        PID:5996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 292
        6⤵
        Program crash
        
        PID:4744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 288
      4⤵
      Program crash
      PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 288
  2⤵
  - Program crash
  PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5156 -ip 5156
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2964 -ip 2964
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 712 -ip 712
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1576 -ip 1576
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
510763d341c45a0ad7701074283d9b25

SHA1
edf2d4d5d9119f5d95bc780cbc53f9d7c06432b9

SHA256
6cba91fe39201715c83c344a0d6eeb2ab0c855a9f62f6c264900dd78ab76f330

SHA512
213eea554d10c7b31baf891f66bdf8e2c501b71576d18f2399e83d9c15e1ff11aea2f4804a84c7eef3a4ba828655875e05886c162c9e10eb4064c83707d8b950

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b3226abeb90e2578d4e802736d7dd700

SHA1
438391a4f546c23824ef61907ad217265d026df1

SHA256
e657fc3a9457870bb419a8fc0696df35c5ee02a71283308ef267a9e5b48442c8

SHA512
029463e7eb8252c7565215e082b7843f1a1a5a197e846d7952bd17ff4677bf68c560ecd6ac6f5e7923900cfb24a042406e2306c02e8360ba414bba5dff429fe0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
fd8b665a7e6e217ab68b673562b2627e

SHA1
e8605623ad642b3cd3b0a1d47fc7203d2d3bfab8

SHA256
6b18fe496c5eea942e84e796ba561c410078c583240c7d6e09675e9c36e63020

SHA512
cdbed87cfe7d2fc456b5e2482ee51f4dc2c89c1d1b0a3e8f66296b50750e9a932a6b9356c84bb1fef01a5029c193f6d65235bbf614b5fd9430f38c41d4846bda

Download Submit
memory/712-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/712-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1292-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1576-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1576-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1788-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2964-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3172-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5156-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5156-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download