Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
134KB
-
MD5
c0449747a0d7a18ab7e6e93f3cd3a115
-
SHA1
439fa7a38316c1a648adbff875b5d127d55d3df9
-
SHA256
8a4a20ba21a370e20c081007d18a921c4a7a856af338d8ce172b05dd43397d18
-
SHA512
da7934998bf6704055e2ab329d112d90d639a7255a8b981fafd299184bccb771014359aec50fa798edc48581ca609dabb6dfa97a5e4ee543df4887df5eab350c
-
SSDEEP
1536:bDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:XiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4396 omsecor.exe 3740 omsecor.exe 1380 omsecor.exe 3644 omsecor.exe 3952 omsecor.exe 3248 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1284 set thread context of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 4396 set thread context of 3740 4396 omsecor.exe 90 PID 1380 set thread context of 3644 1380 omsecor.exe 120 PID 3952 set thread context of 3248 3952 omsecor.exe 123 -
Program crash 4 IoCs
pid pid_target Process procid_target 2172 1284 WerFault.exe 85 4428 4396 WerFault.exe 89 2028 1380 WerFault.exe 119 3640 3952 WerFault.exe 122 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1284 wrote to memory of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 1284 wrote to memory of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 1284 wrote to memory of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 1284 wrote to memory of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 1284 wrote to memory of 2672 1284 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 2672 wrote to memory of 4396 2672 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 2672 wrote to memory of 4396 2672 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 2672 wrote to memory of 4396 2672 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 4396 wrote to memory of 3740 4396 omsecor.exe 90 PID 4396 wrote to memory of 3740 4396 omsecor.exe 90 PID 4396 wrote to memory of 3740 4396 omsecor.exe 90 PID 4396 wrote to memory of 3740 4396 omsecor.exe 90 PID 4396 wrote to memory of 3740 4396 omsecor.exe 90 PID 3740 wrote to memory of 1380 3740 omsecor.exe 119 PID 3740 wrote to memory of 1380 3740 omsecor.exe 119 PID 3740 wrote to memory of 1380 3740 omsecor.exe 119 PID 1380 wrote to memory of 3644 1380 omsecor.exe 120 PID 1380 wrote to memory of 3644 1380 omsecor.exe 120 PID 1380 wrote to memory of 3644 1380 omsecor.exe 120 PID 1380 wrote to memory of 3644 1380 omsecor.exe 120 PID 1380 wrote to memory of 3644 1380 omsecor.exe 120 PID 3644 wrote to memory of 3952 3644 omsecor.exe 122 PID 3644 wrote to memory of 3952 3644 omsecor.exe 122 PID 3644 wrote to memory of 3952 3644 omsecor.exe 122 PID 3952 wrote to memory of 3248 3952 omsecor.exe 123 PID 3952 wrote to memory of 3248 3952 omsecor.exe 123 PID 3952 wrote to memory of 3248 3952 omsecor.exe 123 PID 3952 wrote to memory of 3248 3952 omsecor.exe 123 PID 3952 wrote to memory of 3248 3952 omsecor.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2568⤵
- Program crash
PID:3640
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 2926⤵
- Program crash
PID:2028
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2884⤵
- Program crash
PID:4428
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 2722⤵
- Program crash
PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 12841⤵PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 43961⤵PID:4984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1380 -ip 13801⤵PID:1620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3952 -ip 39521⤵PID:3584
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5376d87085276e46fc8f94221fcefb8ec
SHA1e245815e78c8e3a7a22fe5149376fd98f008d2d0
SHA256cce8f4b2b0515ed3c65e8adcb552ad05a9e365b4badbabf818b59a45b3a219f3
SHA512c3907a20260b55c8074d6d704ef4c86f870c7a705026fd18dea0bedb49de6430f8b6338d27f006ea4ad716baf426d78f1f99955cbcdab027dd6b6acbf053a8db
-
Filesize
134KB
MD593c5ac954f5c6b394ad101b3f70bedaf
SHA157b1816c79a1d97feb5a04191d7323c11ff383bf
SHA256e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3
SHA5120f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52
-
Filesize
134KB
MD568cd8abdf5f9afdfb6feb74d41829e82
SHA136a9ccd78f4b1f4d8493902e7c612a53a329dd4e
SHA2564b7bfd94aecf18a4470a73e986efb3b9ceb6492c50f7f1a2e9ac54feb1d6a8cc
SHA512427c413d8fda132d18b413fb144c2ca40fd7c0d8386dcf42c8d022926a68c912a14d92e162a469142b88408b67bd0a8df5b708be3653d2c1015fb77dd3e9f7eb