neconyd | 42d498e51e689744b4a116ca8c1ef64abf9dbc8a03dab9e2f6451a0cdf927d1d

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

07110c5f5539229244022b8504647cae
SHA1

7b4672e82ed80f3baa45347e97e8cec0c09d81ef
SHA256

42d498e51e689744b4a116ca8c1ef64abf9dbc8a03dab9e2f6451a0cdf927d1d
SHA512

8d11e6151194ed88f17befd24f266a243ad3391b75d491125a93fa674b0f9ad6abf3e53f094cfa200d3ff2c8c54b277df23ab8c9855a0026222ade3a05525391
SSDEEP

1536:rDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:niRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
100	omsecor.exe
1600	omsecor.exe
3652	omsecor.exe
4868	omsecor.exe
3384	omsecor.exe
2868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 100 set thread context of 1600	100	omsecor.exe	90
PID 3652 set thread context of 4868	3652	omsecor.exe	116
PID 3384 set thread context of 2868	3384	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2508	4780	WerFault.exe	85
2500	100	WerFault.exe	89
3696	3652	WerFault.exe	115
2156	3384	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 4780 wrote to memory of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 4780 wrote to memory of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 4780 wrote to memory of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 4780 wrote to memory of 5040	4780	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	86
PID 5040 wrote to memory of 100	5040	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	89
PID 5040 wrote to memory of 100	5040	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	89
PID 5040 wrote to memory of 100	5040	2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe	89
PID 100 wrote to memory of 1600	100	omsecor.exe	90
PID 100 wrote to memory of 1600	100	omsecor.exe	90
PID 100 wrote to memory of 1600	100	omsecor.exe	90
PID 100 wrote to memory of 1600	100	omsecor.exe	90
PID 100 wrote to memory of 1600	100	omsecor.exe	90
PID 1600 wrote to memory of 3652	1600	omsecor.exe	115
PID 1600 wrote to memory of 3652	1600	omsecor.exe	115
PID 1600 wrote to memory of 3652	1600	omsecor.exe	115
PID 3652 wrote to memory of 4868	3652	omsecor.exe	116
PID 3652 wrote to memory of 4868	3652	omsecor.exe	116
PID 3652 wrote to memory of 4868	3652	omsecor.exe	116
PID 3652 wrote to memory of 4868	3652	omsecor.exe	116
PID 3652 wrote to memory of 4868	3652	omsecor.exe	116
PID 4868 wrote to memory of 3384	4868	omsecor.exe	118
PID 4868 wrote to memory of 3384	4868	omsecor.exe	118
PID 4868 wrote to memory of 3384	4868	omsecor.exe	118
PID 3384 wrote to memory of 2868	3384	omsecor.exe	120
PID 3384 wrote to memory of 2868	3384	omsecor.exe	120
PID 3384 wrote to memory of 2868	3384	omsecor.exe	120
PID 3384 wrote to memory of 2868	3384	omsecor.exe	120
PID 3384 wrote to memory of 2868	3384	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 256
        8⤵
        Program crash
        
        PID:2156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 292
        6⤵
        Program crash
        
        PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 300
      4⤵
      Program crash
      PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 300
  2⤵
  - Program crash
  PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 100 -ip 100
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3652 -ip 3652
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3384 -ip 3384
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
302f424d4578662e7b1f8d7df0a3af9b

SHA1
ff0c8cddf4bd3f64abd578f46a1c0287a9c9612f

SHA256
9c1757f43ebee4978bdb9cab67bf13e37e8fd411cff539032fed96c32adef217

SHA512
5cb56d6ceb62cc12eac94500d0839ef9cde8ea739f6ee5ccea2e8684a7d539d0dcdf2798a9e2ee88d55af4599d473cc02ed84865d7010775292eccb1e18f4b34

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ab300ce732b6563e158c4d32b8cd5e1a

SHA1
8dadbd6cb88c4f7cc2ad1105feec2a9fd176f34e

SHA256
0b8de4106f2cc5b013ec637962e1cf7f7e259cae2bf25a9a7c87529e5462c7e3

SHA512
dd80f47d34c411c0055e328f30ee4ce1797c15e9d41598b797e72f74d1afb1190a1d24b85f7fa9cf137e7ed38206464bd3532ff9d668e3ea85c20e2efc33163b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
88fc30c94d9dcc5caaf4d4f436f3e08f

SHA1
e9815bac2b5be4b4051c864f658db92fbeac2d27

SHA256
6a8902f97a2d116b45a0d66cbcd300cfecaf55f3c2030e8eb83cfeeafb26b4c9

SHA512
a49cfed6a4925009f68f64d340c9fce5528e5d2979b341fa2a8a56658569c18c28a23f52a01c2d485f2b015cf6c78c260a68ccaa629ce82eb8b011b04ad8cea7

Download Submit
memory/100-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/100-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1600-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3384-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3652-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3652-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4780-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4780-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4868-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4868-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download