neconyd | 059e888a0abce531b85301c90e877c1db5427892182a9190e7b824cf04f13983

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

2f505bcd8b65e35ea4aa9bc878b4c1f9
SHA1

eb3d50efe653e1bb9c0a7a7e606be7b35840b80c
SHA256

059e888a0abce531b85301c90e877c1db5427892182a9190e7b824cf04f13983
SHA512

577295f1bf0306de7b839845563cf4959e1dcc53899551ed4c34403e8ce4af1a288c065ba44ea640c61d0c23e5dbec12b37a99cf80df68318cf479de38186aa8
SSDEEP

1536:5DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCil:piRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
6072	omsecor.exe
1164	omsecor.exe
2344	omsecor.exe
3972	omsecor.exe
3688	omsecor.exe
5184	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 6072 set thread context of 1164	6072	omsecor.exe	90
PID 2344 set thread context of 3972	2344	omsecor.exe	115
PID 3688 set thread context of 5184	3688	omsecor.exe	119

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2272	2464	WerFault.exe	85
5728	6072	WerFault.exe	89
384	2344	WerFault.exe	114
5444	3688	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 2464 wrote to memory of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 2464 wrote to memory of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 2464 wrote to memory of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 2464 wrote to memory of 1924	2464	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	86
PID 1924 wrote to memory of 6072	1924	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	89
PID 1924 wrote to memory of 6072	1924	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	89
PID 1924 wrote to memory of 6072	1924	2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe	89
PID 6072 wrote to memory of 1164	6072	omsecor.exe	90
PID 6072 wrote to memory of 1164	6072	omsecor.exe	90
PID 6072 wrote to memory of 1164	6072	omsecor.exe	90
PID 6072 wrote to memory of 1164	6072	omsecor.exe	90
PID 6072 wrote to memory of 1164	6072	omsecor.exe	90
PID 1164 wrote to memory of 2344	1164	omsecor.exe	114
PID 1164 wrote to memory of 2344	1164	omsecor.exe	114
PID 1164 wrote to memory of 2344	1164	omsecor.exe	114
PID 2344 wrote to memory of 3972	2344	omsecor.exe	115
PID 2344 wrote to memory of 3972	2344	omsecor.exe	115
PID 2344 wrote to memory of 3972	2344	omsecor.exe	115
PID 2344 wrote to memory of 3972	2344	omsecor.exe	115
PID 2344 wrote to memory of 3972	2344	omsecor.exe	115
PID 3972 wrote to memory of 3688	3972	omsecor.exe	117
PID 3972 wrote to memory of 3688	3972	omsecor.exe	117
PID 3972 wrote to memory of 3688	3972	omsecor.exe	117
PID 3688 wrote to memory of 5184	3688	omsecor.exe	119
PID 3688 wrote to memory of 5184	3688	omsecor.exe	119
PID 3688 wrote to memory of 5184	3688	omsecor.exe	119
PID 3688 wrote to memory of 5184	3688	omsecor.exe	119
PID 3688 wrote to memory of 5184	3688	omsecor.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_2f505bcd8b65e35ea4aa9bc878b4c1f9_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6072
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 268
        8⤵
        Program crash
        
        PID:5444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 292
        6⤵
        Program crash
        
        PID:384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 288
      4⤵
      Program crash
      PID:5728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 288
  2⤵
  - Program crash
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2464 -ip 2464
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6072 -ip 6072
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2344 -ip 2344
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3688 -ip 3688
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e79b2a696288d96bd7c02078b2c213e0

SHA1
414c2bb43eeaa75a28b020842f810c19ae7d0bea

SHA256
d383a51900030f553c408a1cb3cf02f7790374928a8515cb91a03303edfef208

SHA512
febef1f92f815f284c7c59f96f6751017258f3a4a5d8717984f68139f9c7ce252491a5d43a07847b89e8298976d21490a4f5bb7f6c03df16d38edeea5bf398e3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
57e076b7bb1284c6f66af546793804f0

SHA1
b65210be4f882fbd5132b8b52177eb3ba2d28e8d

SHA256
b717c0a2e0ee891a6c9e91b776eb3b24e4a90eae27303173655dc35ec9a3a358

SHA512
40996495d65f41f03d98f410414997387c508edeab9fa2cd3cd6ca1c5e35424820d391be30afef8aeb20f5902d798bb36732afa8401873852d10a16ed8db874d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
981893af83eb4947dc6c69a534ccbc77

SHA1
f16226f3e70ca5725780d0539a39d45277812953

SHA256
5aaad59ad7e1b42f0f1ecfdcf851b8ce57c5a14de4aa564f2c95c1cba90a75f9

SHA512
0d95b69d4c8b801bc226fc18862fe51f2e35eda56f33e7924cec738e1a57f9db3ffb3af45b5cb087c06e9bd56f0cb82a477ff979fdeb023ac68607f5da79862e

Download Submit
memory/1164-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2344-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3688-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3688-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3972-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5184-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5184-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5184-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5184-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6072-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6072-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download