neconyd | 6fc37a910c589582d32cd787a7905ff2a31ec517539ff265b72c799fd0fd6ffc

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

8d433f1e756378d2b2c47f9619bcdd14
SHA1

da7c2f85f5f3d2ae3ed6c95bda68af7697c027de
SHA256

6fc37a910c589582d32cd787a7905ff2a31ec517539ff265b72c799fd0fd6ffc
SHA512

d4592cdafb5cf5108cb6d25437776c1d7c8638d7ec98d43ddbf39f85c2d421cc24968854597591eeaf37976193256dca999218d2901b6d5d7580308551192d4b
SSDEEP

1536:QDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:GiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
6052	omsecor.exe
5312	omsecor.exe
2132	omsecor.exe
1284	omsecor.exe
3532	omsecor.exe
6064	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 6052 set thread context of 5312	6052	omsecor.exe	90
PID 2132 set thread context of 1284	2132	omsecor.exe	115
PID 3532 set thread context of 6064	3532	omsecor.exe	119

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3348	2752	WerFault.exe	84
6116	6052	WerFault.exe	87
4392	2132	WerFault.exe	114
3400	3532	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 2752 wrote to memory of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 2752 wrote to memory of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 2752 wrote to memory of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 2752 wrote to memory of 6096	2752	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 6096 wrote to memory of 6052	6096	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 6096 wrote to memory of 6052	6096	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 6096 wrote to memory of 6052	6096	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 6052 wrote to memory of 5312	6052	omsecor.exe	90
PID 6052 wrote to memory of 5312	6052	omsecor.exe	90
PID 6052 wrote to memory of 5312	6052	omsecor.exe	90
PID 6052 wrote to memory of 5312	6052	omsecor.exe	90
PID 6052 wrote to memory of 5312	6052	omsecor.exe	90
PID 5312 wrote to memory of 2132	5312	omsecor.exe	114
PID 5312 wrote to memory of 2132	5312	omsecor.exe	114
PID 5312 wrote to memory of 2132	5312	omsecor.exe	114
PID 2132 wrote to memory of 1284	2132	omsecor.exe	115
PID 2132 wrote to memory of 1284	2132	omsecor.exe	115
PID 2132 wrote to memory of 1284	2132	omsecor.exe	115
PID 2132 wrote to memory of 1284	2132	omsecor.exe	115
PID 2132 wrote to memory of 1284	2132	omsecor.exe	115
PID 1284 wrote to memory of 3532	1284	omsecor.exe	117
PID 1284 wrote to memory of 3532	1284	omsecor.exe	117
PID 1284 wrote to memory of 3532	1284	omsecor.exe	117
PID 3532 wrote to memory of 6064	3532	omsecor.exe	119
PID 3532 wrote to memory of 6064	3532	omsecor.exe	119
PID 3532 wrote to memory of 6064	3532	omsecor.exe	119
PID 3532 wrote to memory of 6064	3532	omsecor.exe	119
PID 3532 wrote to memory of 6064	3532	omsecor.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6096
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6052
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5312
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 256
        8⤵
        Program crash
        
        PID:3400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 292
        6⤵
        Program crash
        
        PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 300
      4⤵
      Program crash
      PID:6116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 300
  2⤵
  - Program crash
  PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2752 -ip 2752
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6052 -ip 6052
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2132 -ip 2132
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3532 -ip 3532
1⤵
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3f1823369bf99ccbf3f0fd8f94b5bb8e

SHA1
99cb8ca9cf6b137fb62bac0d925e185079e3ab1f

SHA256
40bf953eecbbe383da1d71172f48704fc142b85cfef3200dc9f9a91c26120777

SHA512
20adef4e2dea863dae188e802087878f8fb64e63b647e612943230c762a641edccbc14fbba4cfe5879e9168fefb1b811153aeb24834ab3cc7f1172c9b7b0ce96

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e2f48b40b571bb4102ee11e781103be7

SHA1
8656c26788f5be9a0107734d49302ab309f61853

SHA256
84d600d6f5751a782b0eafb06b966a7678dede585bb805ec2ff5a11c123226b2

SHA512
b6b785ccdcf3457297e629b0fa3ba408624e6e702f9198204778cd85cfd3a11c44deaffce71082d07e8a23dd33e1d2c81cf6e7675569530a97978c2030723563

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
3cbae4d8f8d875ce59063f215493268e

SHA1
0452a87d08eabe30a6db61389575031efb98b342

SHA256
9c3204034583da0142fbba37b929c67198f3bc32e28edf6d34fe4d4259ec27d3

SHA512
52e77f8a3b2200c188dc40dca37b2560b2e218c0998e801454c264ee11a2bfa54255579c1a1d5b1af59749bc9bc3f61591ee08b4d2b90f5b0f5d7d2427cba11d

Download Submit
memory/1284-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3532-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5312-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5312-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6052-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6064-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6064-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6064-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6064-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6096-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6096-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6096-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6096-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download