Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
06/04/2025, 18:12
General
-
Target
2025-04-06_41528258392f55d7580451a0f4f2b5d3_amadey_rhadamanthys_smoke-loader.exe
-
Size
134KB
-
MD5
41528258392f55d7580451a0f4f2b5d3
-
SHA1
7f8a99facb60c29af631d9648f9f9aa48a5b79c6
-
SHA256
359a1786786b8e0b08c9c52666c51d7198880cfd8d43818d3a1a4e96bdcce8b9
-
SHA512
f33d086aeb53ab770a30535dfaa9feb056c99583e055e6670a282586f932aaa863d1579e53bd4a99c23d744eb335faa0416cbdf9a6994b41a5b59d7286379d98
-
SSDEEP
1536:EDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:aiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-06_41528258392f55d7580451a0f4f2b5d3_amadey_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-06_41528258392f55d7580451a0f4f2b5d3_amadey_rhadamanthys_smoke-loader.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2025-04-06_41528258392f55d7580451a0f4f2b5d3_amadey_rhadamanthys_smoke-loader.exeC:\Users\Admin\AppData\Local\Temp\2025-04-06_41528258392f55d7580451a0f4f2b5d3_amadey_rhadamanthys_smoke-loader.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 2688⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1188 -ip 11881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3388 -ip 33881⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe be7269c89b78be457aff0b5ad2074f8e xZDhZDmZw0GylCk5MS7/YQ.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2636 -ip 26361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1196 -ip 11961⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5629f860fd54f4a28de6803a93016f5a3
SHA10c2ac2af1b9a387f441fa78a55c385b582896d40
SHA256d6da7a62acd00ea140a643cf32fa76d185a3e431312e001e77f0d7fe882d3d91
SHA51267475d9f8d3c1302556d6424bc9eda7476c0d3550e17e3888ff71fd335fb03fde6bcb656e453518d56ffb1a39f79aca32d5ff6be22354b1a1bba825429879e83
-
Filesize
134KB
MD5e2e569327f5a5b67738d50879df035d1
SHA10dffa377658c659ebaf1f091a11560b1b7f386e7
SHA2560caded1c05101a361a9008ffa07b420cc70a2f3eefdb0c3c7483693c011074db
SHA51206f9a982a86ffd881f19487eb20a88d07397449c887feb9cbaaa615322501c88f16508d4d8398d09ef9e8cecad7c320b70fad293632efaefdc18b1551c66780c
-
Filesize
134KB
MD5a0d26c479579e7512e0c9dba8b057368
SHA14feca38f396652f3ba96074a604cc06a37f6e55e
SHA2565db15c4284a73bbee6cca03085a87b02bc7377fc92bf11bf52710bc4b856afcd
SHA512bd99753c02187b2dd380026f51a0a98136a9f48960a927a9a99acd6d101ed6ee247eb74c822dfa7150d0d451aa2032a9b34d2aa5226948878dc6a9d333067000
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB