Malware Analysis Report

2025-08-10 19:49

Sample ID 250702-xjrl9ahr9y
Target 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop
SHA256 a3bf4cf6ec4bb929e2bf912297091590528f1e3e902c3f92e51c84d86b87e11f
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3bf4cf6ec4bb929e2bf912297091590528f1e3e902c3f92e51c84d86b87e11f

Threat Level: Known bad

The file 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 18:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 18:53

Reported

2025-07-02 18:55

Platform

win10v2004-20250502-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 4192 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 4192 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 4192 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 4192 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 2012 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1004 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1004 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1004 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5212 wrote to memory of 2072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5212 wrote to memory of 2072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5212 wrote to memory of 2072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5212 wrote to memory of 2072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5212 wrote to memory of 2072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2072 wrote to memory of 416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2072 wrote to memory of 416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 416 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 416 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 416 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 416 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 416 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4192 -ip 4192

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 300

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5568 -ip 5568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5212 -ip 5212

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 296

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4192-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2012-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2012-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 179957c6bfccc73770a52a21399c337e
SHA1 52df2802e321e70e989b18d3b3936ce31b817f99
SHA256 0a84a09560c736b14cb45df6cd50caa8e8fd72d4c5f6af0f21bb6f9656c3e41b
SHA512 94930e72686a97aef3fa8dd3a6f378fc563dc85723b3b491675eefa12992472c41278ae5d53c516ac179551fd814225929bc4f2b7a5360f0fcef7976e0f849fd

memory/5568-8-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1004-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5568-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4192-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1004-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1004-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1004-26-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 09c2595d4470688cb49a722a3c7471cf
SHA1 363278cfc04572b8ac128adf8e8b57a9d04f04f9
SHA256 696dbdd03e9c578b8bf0302c6d62f1a0975782a959b3f0a76ff33ec17aaed008
SHA512 cff067d0142a94ea881c4682445e6e98502e4839c027484179e3467486729092cf071b3db38e507e6f887a279a9b2374b6bf636052953bc09e49167318365b11

memory/1004-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5212-34-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 85b289cf20556559517ea08034e29b89
SHA1 0ed0631fe99bd5c1745a62a271193e66bcab47f8
SHA256 f00d44edb72776216aa169bbcc638f9ffe9d5805db3ea230e40dcc2342603820
SHA512 6537e0216cc7181e7fa15a4e58fa3472055844f5cd8da02638055d6e7cc083197b4bed6e1638baf1ecd1bc01bfaed266ad1f2890c40a2bfbc5701360ec052e16

memory/416-46-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2072-43-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1000-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1000-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5212-52-0x0000000000400000-0x0000000000424000-memory.dmp

memory/416-53-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1000-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1000-57-0x0000000000400000-0x0000000000429000-memory.dmp