Overview

overview

10

Static

static

3

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe

  • Size

    134KB

  • MD5

    af30f58b786b4b55b245824ea3353abb

  • SHA1

    bbfe18140fb6f501c9271cc7afc26ed552f33829

  • SHA256

    961fb0e0fe09aa12127308ae110d1aeb6c94cc94f8a2ab266ef2759c327c1e24

  • SHA512

    2fccdd06225224d1308ea56537e06013c09cf7e4d653192c4595679bf6da1e6d914a25f3cbb8737b288a39c43e598499eaeaa50d9764080f77eaa67198ae9425

  • SSDEEP

    1536:iDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:UiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
      C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5456
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:460
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3144
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5084
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:6076
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 256
                  8⤵
                  • Program crash
                  PID:224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 292
              6⤵
              • Program crash
              PID:4076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 284
          4⤵
          • Program crash
          PID:1620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 288
      2⤵
      • Program crash
      PID:2160
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3912 -ip 3912
    1⤵
      PID:3960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2500 -ip 2500
      1⤵
        PID:5976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 460 -ip 460
        1⤵
          PID:5548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084
          1⤵
            PID:2044

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            4532472265e617d0d7065298d9b2c7d2

            SHA1

            0aa7532c521d14dd09d17b28506558dfc066d75a

            SHA256

            5d9ff92c6a4b109303a640193e64aab6dde0f9faf6d7552658bf8d9693667e01

            SHA512

            d02187ccfc02a25e212876d38113404f2a45acc4b332e3081df48cba311aa4627b02cb8b0b1dc6a00003a1a78f631b42e00acc4f866eaed9ddc60349b9899413

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            52adebc7a8f20b0e84374456029f86db

            SHA1

            814a11afff672ebdb2dbccc739b0c6ea2f51a6fa

            SHA256

            c40f1cb26585a75397b30ac5bc0cf7f66f1901280697bad0b7d34dbda958ac79

            SHA512

            e64bc3c2a95215566643697ec1dffaf6a0f439f96059b16634652edfaa552dd09fa893f09e89e196daae5fbbc58e96491b69d4db421ed1702f3ee331b3890f19

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            f0d9660c9ddd77b81326efa4d903f130

            SHA1

            fee8b5eb993f9d01a97d5ecd3f4ca81e62c22dea

            SHA256

            0b6a50ca36a252d33e7b07a104befbc7abeacf03992e996e040f873328af0984

            SHA512

            60d28774711589a7bec60bcb4585fca706361c56a6c9300c683b44818ce87fbcce5c83e4583e7ff569e4e61c592c238d531af29fb01a04bf04537b9fa1f810aa

            Download Submit

          • memory/460-51-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/460-34-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2500-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2500-10-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2600-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2600-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3144-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3144-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3144-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3912-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3912-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5084-45-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5456-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5456-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5456-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5456-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6076-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6076-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6076-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6076-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download