neconyd | 351a74f471e88e187fa7e93e10de54e6c9d839a19da970b3ef097b86113e2fed

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

554f3d19271ede9e879b46bf17a167ff
SHA1

5804cdc3840e56e588725853a59b1d81ed662834
SHA256

351a74f471e88e187fa7e93e10de54e6c9d839a19da970b3ef097b86113e2fed
SHA512

e6bb1747ae9742ad582c6ed9c2362c730d51fcb168529a1a2b70487c3b365b81f35ac8524d25c871ee7513e50fab46178aa421805a3e96bd92e1ac872cde0b1e
SSDEEP

1536:7DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:3iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
232	omsecor.exe
2156	omsecor.exe
2056	omsecor.exe
3456	omsecor.exe
5364	omsecor.exe
2096	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 232 set thread context of 2156	232	omsecor.exe	91
PID 2056 set thread context of 3456	2056	omsecor.exe	116
PID 5364 set thread context of 2096	5364	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1644	4828	WerFault.exe	86
220	232	WerFault.exe	89
1012	2056	WerFault.exe	115
2400	5364	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 4828 wrote to memory of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 4828 wrote to memory of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 4828 wrote to memory of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 4828 wrote to memory of 2432	4828	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	87
PID 2432 wrote to memory of 232	2432	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	89
PID 2432 wrote to memory of 232	2432	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	89
PID 2432 wrote to memory of 232	2432	2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe	89
PID 232 wrote to memory of 2156	232	omsecor.exe	91
PID 232 wrote to memory of 2156	232	omsecor.exe	91
PID 232 wrote to memory of 2156	232	omsecor.exe	91
PID 232 wrote to memory of 2156	232	omsecor.exe	91
PID 232 wrote to memory of 2156	232	omsecor.exe	91
PID 2156 wrote to memory of 2056	2156	omsecor.exe	115
PID 2156 wrote to memory of 2056	2156	omsecor.exe	115
PID 2156 wrote to memory of 2056	2156	omsecor.exe	115
PID 2056 wrote to memory of 3456	2056	omsecor.exe	116
PID 2056 wrote to memory of 3456	2056	omsecor.exe	116
PID 2056 wrote to memory of 3456	2056	omsecor.exe	116
PID 2056 wrote to memory of 3456	2056	omsecor.exe	116
PID 2056 wrote to memory of 3456	2056	omsecor.exe	116
PID 3456 wrote to memory of 5364	3456	omsecor.exe	118
PID 3456 wrote to memory of 5364	3456	omsecor.exe	118
PID 3456 wrote to memory of 5364	3456	omsecor.exe	118
PID 5364 wrote to memory of 2096	5364	omsecor.exe	120
PID 5364 wrote to memory of 2096	5364	omsecor.exe	120
PID 5364 wrote to memory of 2096	5364	omsecor.exe	120
PID 5364 wrote to memory of 2096	5364	omsecor.exe	120
PID 5364 wrote to memory of 2096	5364	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_554f3d19271ede9e879b46bf17a167ff_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 268
        8⤵
        Program crash
        
        PID:2400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 292
        6⤵
        Program crash
        
        PID:1012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 288
      4⤵
      Program crash
      PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 300
  2⤵
  - Program crash
  PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4828 -ip 4828
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 232 -ip 232
1⤵
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2056 -ip 2056
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5364 -ip 5364
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
67fc6c7bba79346d0a6369fbd3d88d6e

SHA1
202f2ecff764dac719e87e180bb29f7e6db9f3c9

SHA256
facd6b9fbdedf264c96621d3393a3b9d2a78823063cbb6cec5d017e0ad74d7dd

SHA512
6114a780f26a21f4ba87a081a2dbcfcc0d2829f8f3a57f2a88c9db440f086c4b1ff4fa61db33a7379732c7fa84879bf7331a7dc6f53f9288b04e26368b4a5afd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2b4d4e05296cadf8d071e60b02901955

SHA1
3977004eb75253f02b5d73e2b1653d450fb64b45

SHA256
08df7e06bcc14c53ec5e798dc99e0ee2db619981e9b11e92865017a55fa3357e

SHA512
fd310bcb5df16004dea248d9efd748bd48096f70288bd8dd484d5a0248a15d71b7437536efaa0f065c88f85db18f11d4e0f25c1bd384fa51ad2ea586b05ccfa4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
d93d97bcbcb5813f8798c47800171b0f

SHA1
349822b3e40b1222fd4289d73e05ac041f1a8c07

SHA256
15b2744d41d966f33dfed670d1e490536f2c863a56a9a0caaa5034299de00751

SHA512
cb5cbaf6741b2930a209f68fda4628ad0cdad6cf9317db2184153a1f2dea70c53f40b7f44e7d4f9d163f33791136a2e76de2af815c28aac922e768fd6d010de5

Download Submit
memory/232-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/232-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2096-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4828-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5364-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5364-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download