neconyd | 790ff25a1355baef620be4ed71bb45a8e63b7aa47cbbdfc1164e7cec4df90f5a

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

0a37379bd997f4ce2eb048b33b7d9c2c
SHA1

72656439ecc5a1d96756d3553d7b427a7a13961d
SHA256

790ff25a1355baef620be4ed71bb45a8e63b7aa47cbbdfc1164e7cec4df90f5a
SHA512

6c5eab1cdf6f55d35d8c4df5d5c46e6876e4370b1631968c5725766d7bf0a41d452d10804a6c81781b5981247598c0cfea795981e5c3f2e4e703bf9f3d3ee786
SSDEEP

1536:ADfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:2iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2864	omsecor.exe
5868	omsecor.exe
3680	omsecor.exe
3692	omsecor.exe
5632	omsecor.exe
3972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5180 set thread context of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 2864 set thread context of 5868	2864	omsecor.exe	91
PID 3680 set thread context of 3692	3680	omsecor.exe	117
PID 5632 set thread context of 3972	5632	omsecor.exe	121

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3972	5180	WerFault.exe	85
5404	2864	WerFault.exe	89
5096	3680	WerFault.exe	116
1644	5632	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5180 wrote to memory of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 5180 wrote to memory of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 5180 wrote to memory of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 5180 wrote to memory of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 5180 wrote to memory of 3144	5180	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 3144 wrote to memory of 2864	3144	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	89
PID 3144 wrote to memory of 2864	3144	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	89
PID 3144 wrote to memory of 2864	3144	2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe	89
PID 2864 wrote to memory of 5868	2864	omsecor.exe	91
PID 2864 wrote to memory of 5868	2864	omsecor.exe	91
PID 2864 wrote to memory of 5868	2864	omsecor.exe	91
PID 2864 wrote to memory of 5868	2864	omsecor.exe	91
PID 2864 wrote to memory of 5868	2864	omsecor.exe	91
PID 5868 wrote to memory of 3680	5868	omsecor.exe	116
PID 5868 wrote to memory of 3680	5868	omsecor.exe	116
PID 5868 wrote to memory of 3680	5868	omsecor.exe	116
PID 3680 wrote to memory of 3692	3680	omsecor.exe	117
PID 3680 wrote to memory of 3692	3680	omsecor.exe	117
PID 3680 wrote to memory of 3692	3680	omsecor.exe	117
PID 3680 wrote to memory of 3692	3680	omsecor.exe	117
PID 3680 wrote to memory of 3692	3680	omsecor.exe	117
PID 3692 wrote to memory of 5632	3692	omsecor.exe	119
PID 3692 wrote to memory of 5632	3692	omsecor.exe	119
PID 3692 wrote to memory of 5632	3692	omsecor.exe	119
PID 5632 wrote to memory of 3972	5632	omsecor.exe	121
PID 5632 wrote to memory of 3972	5632	omsecor.exe	121
PID 5632 wrote to memory of 3972	5632	omsecor.exe	121
PID 5632 wrote to memory of 3972	5632	omsecor.exe	121
PID 5632 wrote to memory of 3972	5632	omsecor.exe	121

C:\Users\Admin\AppData\Local\Temp\2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Users\Admin\AppData\Local\Temp\2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-12_0a37379bd997f4ce2eb048b33b7d9c2c_amadey_elex_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5868
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5632
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 256
        8⤵
        Program crash
        
        PID:1644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 292
        6⤵
        Program crash
        
        PID:5096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 288
      4⤵
      Program crash
      PID:5404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 288
  2⤵
  - Program crash
  PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5180 -ip 5180
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2864 -ip 2864
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3680 -ip 3680
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5632 -ip 5632
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
43b9c1e1f0c03dd2bf772e62b6291a78

SHA1
4f5247f3700b1e8556157724a5cf2f0ad5678198

SHA256
e27960322c8de3ad87751f49863071b38afbefa44bea7edec315cdae301b8bc3

SHA512
ff8afd7a54b6a3c75201f3a69c362e6d87ee7fd0da2711ca81939d019f09c476a4234cc029dbf7f18fbdfaacf2054b826a923a3685bd3b8b8b27314ce26b823e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
0a9ce8b60a012b17f0c5ccb6adbc2b34

SHA1
0986f84a6d1baf05909097ca12327afe8f01cf56

SHA256
0cd21b7f5733ee75545d3b9725a5819bdf9817e11f092749cc2a03f508708143

SHA512
88e51d13183d745d56f4a15576e4eb0dc7b28424aec25629e43dac702b3cb34ba939a292bd113022c8f0b2f91c327f0b2738ef217091a8d13c850f812ccd89e6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
b3b50cb22cea9d7c903979d5164fecb6

SHA1
b5e7fed8d45783903d292a52bed1e4d7421eed4a

SHA256
31231469085b8d1108f2d0f4b178d079e7802eb442e0f4d7a812ae5231aee5a2

SHA512
4642277488acff4c5ad4d5d71f972396e3bd5ce7b5d68faa7e6c86e37899000f800463065d17d5b4ed52ebba4024fb28d2207af3e732aad58cde451d46b1e5da

Download Submit
memory/2864-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2864-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3144-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3144-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3692-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3692-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5180-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5180-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5632-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5868-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5868-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download