Overview

overview

10

Static

static

3

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_926e7027f6180d3610428d298ffda107_amadey_rhadamanthys_smoke-loader.exe

  • Size

    134KB

  • MD5

    926e7027f6180d3610428d298ffda107

  • SHA1

    163a8ae433596911d54ac95d96e0d3124be5c77e

  • SHA256

    bff93a47851d016bbe2fa0e0953640d3cbb9dff7ed6eed29cb38848c87e6793c

  • SHA512

    32be919a7baed025981cc58515d1d0a7af9df9e6b1a4af39a652cf08bb83d8c21e2411d1353d73896426df5f5ee8b0bce316fe9017114617f91fee9bda3b1a4a

  • SSDEEP

    1536:3DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:TiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_926e7027f6180d3610428d298ffda107_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_926e7027f6180d3610428d298ffda107_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\2025-04-06_926e7027f6180d3610428d298ffda107_amadey_rhadamanthys_smoke-loader.exe
      C:\Users\Admin\AppData\Local\Temp\2025-04-06_926e7027f6180d3610428d298ffda107_amadey_rhadamanthys_smoke-loader.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3720
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4308
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:5060
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 256
                  8⤵
                  • Program crash
                  PID:1188
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 292
              6⤵
              • Program crash
              PID:2596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 300
          4⤵
          • Program crash
          PID:100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 300
      2⤵
      • Program crash
      PID:3100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4472 -ip 4472
    1⤵
      PID:1988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3524 -ip 3524
      1⤵
        PID:3912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2168 -ip 2168
        1⤵
          PID:4748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2480 -ip 2480
          1⤵
            PID:924

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            9e01ad4594bf486d213844287f25f3d7

            SHA1

            978d3a4bed588cbc1a8d152fac80573e7e323ca8

            SHA256

            4554bba8e133423c027e822a5d67e9f62a720e5cab6c1fa9425a117d2ab33cbd

            SHA512

            e1637619dc07fc78054254c7ead88040a649d2d6c7f61f651973cd5cbd9a0909a848d4eff115d5db2f8482462bb873265f1526a6e5a68cf5b5cc6d33690eb10e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            1971cc2517f64b7d705a169c821da952

            SHA1

            c4b192b9dc49695f3ffcccc823eb0254b86b7afa

            SHA256

            78614fb5f4bf0c1dba81b53c91cd32e3e64e51b8bad1af9f9920487298dbcfb9

            SHA512

            7925000f9a7cdbb5ed53d9c4c5f6469d1bd5f4ec606b59fa8c174711dad5acbb5bbc26e04b5f15796297fd6bbeba7822782509f9fde5e6c2c7e342797a4cac90

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            e475ad4682156619de44a4a33b0c200d

            SHA1

            2fda6a34e4c00cb510a7aeae045c0b2e72e4f538

            SHA256

            2897cdbef17a9189c1eb7f63a4c99800eb674ce667de2b916220346b091a2647

            SHA512

            73bee8a701b9d95315ccdc9a107d28d385c11be6eb1e5d20c0f4a9bd4a07fc712e5d566317837ee1a25ed251c8043499ae3dcd72b65673a2aaaeca13926f43f7

            Download Submit

          • memory/2168-50-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2168-31-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2480-44-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3524-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3524-10-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3720-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3720-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4308-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4308-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4308-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4472-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4472-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/5012-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5012-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5012-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5012-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5060-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5060-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5060-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5060-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download