Overview

overview

10

Static

static

3

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe

  • Size

    134KB

  • MD5

    af30f58b786b4b55b245824ea3353abb

  • SHA1

    bbfe18140fb6f501c9271cc7afc26ed552f33829

  • SHA256

    961fb0e0fe09aa12127308ae110d1aeb6c94cc94f8a2ab266ef2759c327c1e24

  • SHA512

    2fccdd06225224d1308ea56537e06013c09cf7e4d653192c4595679bf6da1e6d914a25f3cbb8737b288a39c43e598499eaeaa50d9764080f77eaa67198ae9425

  • SSDEEP

    1536:iDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:UiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
      C:\Users\Admin\AppData\Local\Temp\2025-04-06_af30f58b786b4b55b245824ea3353abb_amadey_rhadamanthys_smoke-loader.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6088
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4044
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3676
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4348
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 256
                  8⤵
                  • Program crash
                  PID:6132
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 292
              6⤵
              • Program crash
              PID:1560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 288
          4⤵
          • Program crash
          PID:3104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 288
      2⤵
      • Program crash
      PID:2732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1016 -ip 1016
    1⤵
      PID:1812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3640 -ip 3640
      1⤵
        PID:2360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4044 -ip 4044
        1⤵
          PID:2032
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3676 -ip 3676
          1⤵
            PID:3140

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            73ae38c897592d51ddc356909b0c1c80

            SHA1

            198578c7675af32742bd76bfdec3a74aeeac8298

            SHA256

            d8d9eca1eb0d87c91b73187917d41d668db127659fd7dee654e559f25f94339b

            SHA512

            67242b23a85c0675ba30ad15ce92cd3cafeb9a75c8613f5ead3b95621205ef711288cf8aa59172ed4145bc8625597bf9e3ff169ffd1585711530c13d2fd7fb00

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            52adebc7a8f20b0e84374456029f86db

            SHA1

            814a11afff672ebdb2dbccc739b0c6ea2f51a6fa

            SHA256

            c40f1cb26585a75397b30ac5bc0cf7f66f1901280697bad0b7d34dbda958ac79

            SHA512

            e64bc3c2a95215566643697ec1dffaf6a0f439f96059b16634652edfaa552dd09fa893f09e89e196daae5fbbc58e96491b69d4db421ed1702f3ee331b3890f19

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            880c7af210f7a0b24227a667e6413fcc

            SHA1

            af48b79e042beca3953f3b008549e8b566dd645b

            SHA256

            2288df1d26744aadb26b1493c68ee05a83b1f6f17fbeea78afda94a35ff62234

            SHA512

            db88a4fa8f67da9aac2478892979fa2909b4b9ff5436f9b09217ebf5ccb917a7232deb6a20731f6f7c6d55e8ef550510db818645cf1cab2721fa1316abc27016

            Download Submit

          • memory/1016-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/1016-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/1952-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1952-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1952-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2384-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3640-8-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3640-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3676-42-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4044-30-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4044-49-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4348-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4348-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4348-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4348-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6088-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6088-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6088-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/6088-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download