neconyd | 5395db5ee6c99c19f231a88dbfb6bf73510c4ca908f2e54a673500f67ea7f6b2

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

f44a9d1fee0acdd0b45f6954374b4449
SHA1

8cac9ba608c56a05db3b1f22a92e91291633a80f
SHA256

5395db5ee6c99c19f231a88dbfb6bf73510c4ca908f2e54a673500f67ea7f6b2
SHA512

3e6e62705e59a1c789b4bdf5edc2c421fb3d8f4c30d017633b52a2810c9694af77529bc18279b6e0954578d7519595faed4498e7c8e55ee17726734d2d32afb7
SSDEEP

1536:GDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiV:4iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1620	omsecor.exe
1740	omsecor.exe
2228	omsecor.exe
1236	omsecor.exe
212	omsecor.exe
5480	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 1620 set thread context of 1740	1620	omsecor.exe	91
PID 2228 set thread context of 1236	2228	omsecor.exe	116
PID 212 set thread context of 5480	212	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3816	1636	WerFault.exe	85
1336	1620	WerFault.exe	88
6140	2228	WerFault.exe	115
4296	212	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 1636 wrote to memory of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 1636 wrote to memory of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 1636 wrote to memory of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 1636 wrote to memory of 852	1636	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	86
PID 852 wrote to memory of 1620	852	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	88
PID 852 wrote to memory of 1620	852	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	88
PID 852 wrote to memory of 1620	852	2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe	88
PID 1620 wrote to memory of 1740	1620	omsecor.exe	91
PID 1620 wrote to memory of 1740	1620	omsecor.exe	91
PID 1620 wrote to memory of 1740	1620	omsecor.exe	91
PID 1620 wrote to memory of 1740	1620	omsecor.exe	91
PID 1620 wrote to memory of 1740	1620	omsecor.exe	91
PID 1740 wrote to memory of 2228	1740	omsecor.exe	115
PID 1740 wrote to memory of 2228	1740	omsecor.exe	115
PID 1740 wrote to memory of 2228	1740	omsecor.exe	115
PID 2228 wrote to memory of 1236	2228	omsecor.exe	116
PID 2228 wrote to memory of 1236	2228	omsecor.exe	116
PID 2228 wrote to memory of 1236	2228	omsecor.exe	116
PID 2228 wrote to memory of 1236	2228	omsecor.exe	116
PID 2228 wrote to memory of 1236	2228	omsecor.exe	116
PID 1236 wrote to memory of 212	1236	omsecor.exe	118
PID 1236 wrote to memory of 212	1236	omsecor.exe	118
PID 1236 wrote to memory of 212	1236	omsecor.exe	118
PID 212 wrote to memory of 5480	212	omsecor.exe	120
PID 212 wrote to memory of 5480	212	omsecor.exe	120
PID 212 wrote to memory of 5480	212	omsecor.exe	120
PID 212 wrote to memory of 5480	212	omsecor.exe	120
PID 212 wrote to memory of 5480	212	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_f44a9d1fee0acdd0b45f6954374b4449_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 268
        8⤵
        Program crash
        
        PID:4296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 296
        6⤵
        Program crash
        
        PID:6140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 288
      4⤵
      Program crash
      PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 288
  2⤵
  - Program crash
  PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1636 -ip 1636
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1620 -ip 1620
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2228 -ip 2228
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 212 -ip 212
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e1072766ac89168310ff7b14e8f36711

SHA1
a6bf91749d52ecadfc9996d6f2cc8e97fd10d8a7

SHA256
004ca9d5c74d9ccfcc63509e6440812d777e50ebe2c90d819df547479e87a73c

SHA512
f07e0494d9477890300b3b5aea2b6d2408973764f0de6f6dcbc6b35dd0ea740ba4fda614f1cbfa322f92062f47096c11a913e495d740719d2ee4b3f4c73fdfa0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c7f10c3d094c17913f9bec9d19b4a52d

SHA1
4efe80226e7e15308df4fb25e8788e89cb55d9c4

SHA256
c570befd4185b91701585855ec587ff75b6aadba349e9aa5ae068a494a83c42a

SHA512
9b45ed46ec90354064b4d4f556b1b19d4ce52c4738d3d6fa26ced385fffbae2465ea7133b2173b22cd641443af7b510107d05b8d8cd6a2236a0e0cfa645ae7cb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8dccdbd5b42d49750991ed095f6f5ce2

SHA1
eb32d6c854ef0b6306af63279c2d3b7416fca7c1

SHA256
3c7c5823ba526aa5e07808f1c23da0f208b82f2e5ffd851c1bc144553a29c802

SHA512
aaa79f5b89080fd118003c7119d33490ac0f44745cf5a5c67ecbdc0c8c13bb3f116e70419969c9eddda6e487ff8c591a84b17692cdbd1176f1a4821b1e88c72b

Download Submit
memory/212-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/852-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/852-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/852-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/852-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1620-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1620-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2228-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2228-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5480-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5480-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5480-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5480-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download