neconyd | 6fc37a910c589582d32cd787a7905ff2a31ec517539ff265b72c799fd0fd6ffc

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

8d433f1e756378d2b2c47f9619bcdd14
SHA1

da7c2f85f5f3d2ae3ed6c95bda68af7697c027de
SHA256

6fc37a910c589582d32cd787a7905ff2a31ec517539ff265b72c799fd0fd6ffc
SHA512

d4592cdafb5cf5108cb6d25437776c1d7c8638d7ec98d43ddbf39f85c2d421cc24968854597591eeaf37976193256dca999218d2901b6d5d7580308551192d4b
SSDEEP

1536:QDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:GiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4248	omsecor.exe
1148	omsecor.exe
2344	omsecor.exe
2284	omsecor.exe
3272	omsecor.exe
6012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 4248 set thread context of 1148	4248	omsecor.exe	90
PID 2344 set thread context of 2284	2344	omsecor.exe	116
PID 3272 set thread context of 6012	3272	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6012	1340	WerFault.exe	84
5392	4248	WerFault.exe	87
4248	2344	WerFault.exe	115
2668	3272	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 1340 wrote to memory of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 1340 wrote to memory of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 1340 wrote to memory of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 1340 wrote to memory of 232	1340	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	85
PID 232 wrote to memory of 4248	232	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 232 wrote to memory of 4248	232	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 232 wrote to memory of 4248	232	2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe	87
PID 4248 wrote to memory of 1148	4248	omsecor.exe	90
PID 4248 wrote to memory of 1148	4248	omsecor.exe	90
PID 4248 wrote to memory of 1148	4248	omsecor.exe	90
PID 4248 wrote to memory of 1148	4248	omsecor.exe	90
PID 4248 wrote to memory of 1148	4248	omsecor.exe	90
PID 1148 wrote to memory of 2344	1148	omsecor.exe	115
PID 1148 wrote to memory of 2344	1148	omsecor.exe	115
PID 1148 wrote to memory of 2344	1148	omsecor.exe	115
PID 2344 wrote to memory of 2284	2344	omsecor.exe	116
PID 2344 wrote to memory of 2284	2344	omsecor.exe	116
PID 2344 wrote to memory of 2284	2344	omsecor.exe	116
PID 2344 wrote to memory of 2284	2344	omsecor.exe	116
PID 2344 wrote to memory of 2284	2344	omsecor.exe	116
PID 2284 wrote to memory of 3272	2284	omsecor.exe	118
PID 2284 wrote to memory of 3272	2284	omsecor.exe	118
PID 2284 wrote to memory of 3272	2284	omsecor.exe	118
PID 3272 wrote to memory of 6012	3272	omsecor.exe	120
PID 3272 wrote to memory of 6012	3272	omsecor.exe	120
PID 3272 wrote to memory of 6012	3272	omsecor.exe	120
PID 3272 wrote to memory of 6012	3272	omsecor.exe	120
PID 3272 wrote to memory of 6012	3272	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_8d433f1e756378d2b2c47f9619bcdd14_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 256
        8⤵
        Program crash
        
        PID:2668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 292
        6⤵
        Program crash
        
        PID:4248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 300
      4⤵
      Program crash
      PID:5392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 288
  2⤵
  - Program crash
  PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4248 -ip 4248
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2344 -ip 2344
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3272 -ip 3272
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
862d86e9e0768e798e889bb37d646269

SHA1
7984f56d3fd3077b0f37cc29cd85a7768cc8e880

SHA256
7cd553446fbc9505f3b104e173a646536c44e7eeab45acfecadd17c72665f832

SHA512
6cdb804a41a27ec51c9621f3b9ac4e2ac9ae7a45e42d5be868051522cb3550e26ea5e0a0f6f1fc9c498d614bc89db2feb88252784baa2bfad9543980a2468d44

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e2f48b40b571bb4102ee11e781103be7

SHA1
8656c26788f5be9a0107734d49302ab309f61853

SHA256
84d600d6f5751a782b0eafb06b966a7678dede585bb805ec2ff5a11c123226b2

SHA512
b6b785ccdcf3457297e629b0fa3ba408624e6e702f9198204778cd85cfd3a11c44deaffce71082d07e8a23dd33e1d2c81cf6e7675569530a97978c2030723563

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
f5d08cda26cf17a8ebf95744746f5580

SHA1
f801a94ca57aede9f895899f6315132e2ff0917e

SHA256
395402ade6d8bd2cec3cd56436dcd598b09d9b7177a2ecdc238e512e581344ce

SHA512
9f1a8e23e619e2e185a02f1c1cd59ce29dab24015df9fbe3adc006b32f6ab9fe087044012ce3a3ff2df4f8786dd8d9c8cce02ad276d1f2313cd39417ea4d2027

Download Submit
memory/232-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/232-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/232-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/232-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1148-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1340-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2284-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2284-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2344-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3272-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4248-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6012-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6012-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6012-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6012-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download