Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
134KB
-
MD5
c0449747a0d7a18ab7e6e93f3cd3a115
-
SHA1
439fa7a38316c1a648adbff875b5d127d55d3df9
-
SHA256
8a4a20ba21a370e20c081007d18a921c4a7a856af338d8ce172b05dd43397d18
-
SHA512
da7934998bf6704055e2ab329d112d90d639a7255a8b981fafd299184bccb771014359aec50fa798edc48581ca609dabb6dfa97a5e4ee543df4887df5eab350c
-
SSDEEP
1536:bDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:XiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3720 omsecor.exe 3532 omsecor.exe 5068 omsecor.exe 3688 omsecor.exe 5180 omsecor.exe 3584 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5216 set thread context of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 3720 set thread context of 3532 3720 omsecor.exe 83 PID 5068 set thread context of 3688 5068 omsecor.exe 87 PID 5180 set thread context of 3584 5180 omsecor.exe 91 -
Program crash 4 IoCs
pid pid_target Process procid_target 5368 5216 WerFault.exe 77 4584 3720 WerFault.exe 80 676 5068 WerFault.exe 86 3088 5180 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5216 wrote to memory of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 5216 wrote to memory of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 5216 wrote to memory of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 5216 wrote to memory of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 5216 wrote to memory of 1660 5216 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 1660 wrote to memory of 3720 1660 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 80 PID 1660 wrote to memory of 3720 1660 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 80 PID 1660 wrote to memory of 3720 1660 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe 80 PID 3720 wrote to memory of 3532 3720 omsecor.exe 83 PID 3720 wrote to memory of 3532 3720 omsecor.exe 83 PID 3720 wrote to memory of 3532 3720 omsecor.exe 83 PID 3720 wrote to memory of 3532 3720 omsecor.exe 83 PID 3720 wrote to memory of 3532 3720 omsecor.exe 83 PID 3532 wrote to memory of 5068 3532 omsecor.exe 86 PID 3532 wrote to memory of 5068 3532 omsecor.exe 86 PID 3532 wrote to memory of 5068 3532 omsecor.exe 86 PID 5068 wrote to memory of 3688 5068 omsecor.exe 87 PID 5068 wrote to memory of 3688 5068 omsecor.exe 87 PID 5068 wrote to memory of 3688 5068 omsecor.exe 87 PID 5068 wrote to memory of 3688 5068 omsecor.exe 87 PID 5068 wrote to memory of 3688 5068 omsecor.exe 87 PID 3688 wrote to memory of 5180 3688 omsecor.exe 89 PID 3688 wrote to memory of 5180 3688 omsecor.exe 89 PID 3688 wrote to memory of 5180 3688 omsecor.exe 89 PID 5180 wrote to memory of 3584 5180 omsecor.exe 91 PID 5180 wrote to memory of 3584 5180 omsecor.exe 91 PID 5180 wrote to memory of 3584 5180 omsecor.exe 91 PID 5180 wrote to memory of 3584 5180 omsecor.exe 91 PID 5180 wrote to memory of 3584 5180 omsecor.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 2528⤵
- Program crash
PID:3088
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 3046⤵
- Program crash
PID:676
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2884⤵
- Program crash
PID:4584
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 3002⤵
- Program crash
PID:5368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5216 -ip 52161⤵PID:5300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 37201⤵PID:5592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5068 -ip 50681⤵PID:4808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5180 -ip 51801⤵PID:2084
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5964e5cc9192ca696d50be0a6c21d4e5b
SHA1877fe7495c54824edfb021dc3e3ca580a1e0ad40
SHA2562ca2e4df490328349c72112e2665f61920d38b6f921b169c10c1cfb46dbe3f62
SHA5127b03bd44f472d406814b2103ce4a01af91beb2058333b827cc3a8ae2a14c1111a75aa4442571f9958d5e335e5de6230de149e8c19d0ba278fafb64965288ef40
-
Filesize
134KB
MD593c5ac954f5c6b394ad101b3f70bedaf
SHA157b1816c79a1d97feb5a04191d7323c11ff383bf
SHA256e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3
SHA5120f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52
-
Filesize
134KB
MD580fdb5c82d127003f24373a3f62e1b42
SHA17c9b9daa9b5d2df6721fc2411a115312dadda5e4
SHA256b96ef610a989c2cbf689fda5e7d584720a3a7ef79620b837731cd2f728414757
SHA512a6f562ee0a03dc0709f9953ee0928aa40e01702e634674717c8733da83f4e5d5f6d9f2f166b10b58a981e07c892d16f52dbc2df6db49d2ca1726a8c3b7bfdc2a