Overview

overview

10

Static

static

3

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_a68e7eb94cc9de700743fc84a9c6c688_amadey_rhadamanthys_smoke-loader.exe

  • Size

    134KB

  • MD5

    a68e7eb94cc9de700743fc84a9c6c688

  • SHA1

    0514d33b2fe7dd8038b285c38ea65b56753f78e6

  • SHA256

    fa3247474797263213937c159008a160cfda3326bcd57d8fea2ff13121db9085

  • SHA512

    1db66903e2d2b7b813dc3e6e9842b00f01d385120d584b4bd3416322dbc167479622eb195309b32bf8d40e89fbefaab594da321387924b904f35c08fd8fd285c

  • SSDEEP

    1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi3:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_a68e7eb94cc9de700743fc84a9c6c688_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_a68e7eb94cc9de700743fc84a9c6c688_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5264
    • C:\Users\Admin\AppData\Local\Temp\2025-04-06_a68e7eb94cc9de700743fc84a9c6c688_amadey_rhadamanthys_smoke-loader.exe
      C:\Users\Admin\AppData\Local\Temp\2025-04-06_a68e7eb94cc9de700743fc84a9c6c688_amadey_rhadamanthys_smoke-loader.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5904
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5920
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1576
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:540
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4272
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 260
                  8⤵
                  • Program crash
                  PID:1540
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 292
              6⤵
              • Program crash
              PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 288
          4⤵
          • Program crash
          PID:208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 292
      2⤵
      • Program crash
      PID:5032
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5264 -ip 5264
    1⤵
      PID:3968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5044 -ip 5044
      1⤵
        PID:2892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5920 -ip 5920
        1⤵
          PID:736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 540 -ip 540
          1⤵
            PID:1484

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            26c97fac693b64e880941c516ebb2400

            SHA1

            668a7a57b12b48ecc1e4b316ec4435d05154da57

            SHA256

            613f68a7e1c0787e85cb03ac298818a3c1363018d9af5e24737e5c3003b3fbc7

            SHA512

            18edd2237e3fb12438d66f85ddb6b8bf454cfe8166a00beb55fe889d1881f18be40d97dce2a52540cce2d981e8e8ef80593fa50c2ef62ce5140035de073f059b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            ed2af1bc1226f28bb6a8626602635153

            SHA1

            0ec8287ebb6a072487bec9974dfc17f3886d44e0

            SHA256

            7d232dfd9429717d046a2a8d7040fddf5154949c54dab2423ca8699b71356f58

            SHA512

            b074249ab17f183976d8da9a2961a12bf77a421921fc09aafd96435552fa8fa64cf9ca1a8aa05df42a1b1e205a63be2e51b103ebb6737b696a9248d3f0e723e3

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            74ff2b924be0e21c51ded903eca5c68c

            SHA1

            f9e9ee2459b67b1d934d9f1ef0cca69539d2ab16

            SHA256

            77db53e673446775450ffdfdb0a19dcbb7401fc41862687a40670a421088fc9e

            SHA512

            503bb2b4081a61996c8c9e1efbb565b96cfea58565654ffd81a466bfc38fb6d10a8dd68b402b444cbe759cfe8ddb0cdb45768a1ecf32bb9f34a798faf2784832

            Download Submit

          • memory/540-50-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/540-43-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/1576-41-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1576-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1576-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1880-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4272-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4272-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4272-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4272-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5044-8-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5044-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5264-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5264-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5904-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5904-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5904-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5904-11-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5920-30-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5920-49-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download