Overview

overview

10

Static

static

3

2025-04-06...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe

  • Size

    134KB

  • MD5

    07110c5f5539229244022b8504647cae

  • SHA1

    7b4672e82ed80f3baa45347e97e8cec0c09d81ef

  • SHA256

    42d498e51e689744b4a116ca8c1ef64abf9dbc8a03dab9e2f6451a0cdf927d1d

  • SHA512

    8d11e6151194ed88f17befd24f266a243ad3391b75d491125a93fa674b0f9ad6abf3e53f094cfa200d3ff2c8c54b277df23ab8c9855a0026222ade3a05525391

  • SSDEEP

    1536:rDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:niRTeH0iqAW6J6f1tqF6dngNmaZCia

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
      C:\Users\Admin\AppData\Local\Temp\2025-04-06_07110c5f5539229244022b8504647cae_amadey_rhadamanthys_smoke-loader.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4592
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3864
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3096
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 268
                  8⤵
                  • Program crash
                  PID:2000
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 296
              6⤵
              • Program crash
              PID:2004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 288
          4⤵
          • Program crash
          PID:2428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 288
      2⤵
      • Program crash
      PID:2136
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2212 -ip 2212
    1⤵
      PID:692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2156 -ip 2156
      1⤵
        PID:3592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4592 -ip 4592
        1⤵
          PID:3548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1652 -ip 1652
          1⤵
            PID:4876

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            ab300ce732b6563e158c4d32b8cd5e1a

            SHA1

            8dadbd6cb88c4f7cc2ad1105feec2a9fd176f34e

            SHA256

            0b8de4106f2cc5b013ec637962e1cf7f7e259cae2bf25a9a7c87529e5462c7e3

            SHA512

            dd80f47d34c411c0055e328f30ee4ce1797c15e9d41598b797e72f74d1afb1190a1d24b85f7fa9cf137e7ed38206464bd3532ff9d668e3ea85c20e2efc33163b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            4837742a9f5879beaedd37da71534ecc

            SHA1

            e4e0eaa8aa54033822f7e79cf68e5fdca0ddfd65

            SHA256

            4312146fc114b7e8fa5fdf35448ed3b90aa4c52d7efa6789de725ac96304fdfe

            SHA512

            4237c0198516b6f98eff7c81b9033e5ca2605876ded4ec7fa3684844fa2fbe3ec2900221100bc7632add473e76d5b9f2469bfe94aa0f42c8847a7800c14ddcf3

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            9f34604056a294238671e6fd3ea3b439

            SHA1

            96eb92664b5dcc1a87091d03eaf9e88cdda69501

            SHA256

            2d4201ac11dc875725d178b58b4bea1c036b5cc977cba7c3fc429710660cf9a9

            SHA512

            e1368244cb935d77426624ae07a5b2ac11c88436037042dfa3f3579609aff8f0443b2b1a9ec9d26fa7154eb440f812126db294dec226085d030955230484c87d

            Download Submit

          • memory/1652-44-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2156-8-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2156-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2212-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2212-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2240-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2240-32-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3096-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3096-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3096-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3096-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3188-6-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3188-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3188-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3188-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3864-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3864-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3864-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4592-33-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download