Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
134KB
-
MD5
b605fbc7a11d3e1b799e6980118313ed
-
SHA1
1bcb8685cbe83507323a269c0ac47fc72264e9d7
-
SHA256
8c38c395be0daf5c90ffd44263af56a2d5fa0d109dd03fbca087ad6f976c1f3f
-
SHA512
99ef6ca59efd0ab33cb7727bb5615fb4278e3f2de7af2141a7bd668cde89690f87335071e3d24ca283f7479b2ee1a4a9e8f394752c80ff6d1c4174063239e8dd
-
SSDEEP
1536:oDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:OiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2632 omsecor.exe 2020 omsecor.exe 2320 omsecor.exe 3340 omsecor.exe 5472 omsecor.exe 4508 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 692 set thread context of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 2632 set thread context of 2020 2632 omsecor.exe 90 PID 2320 set thread context of 3340 2320 omsecor.exe 115 PID 5472 set thread context of 4508 5472 omsecor.exe 118 -
Program crash 4 IoCs
pid pid_target Process procid_target 5296 692 WerFault.exe 85 3860 2632 WerFault.exe 89 1192 2320 WerFault.exe 114 3196 5472 WerFault.exe 117 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 692 wrote to memory of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 692 wrote to memory of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 692 wrote to memory of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 692 wrote to memory of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 692 wrote to memory of 5432 692 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 86 PID 5432 wrote to memory of 2632 5432 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 5432 wrote to memory of 2632 5432 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 5432 wrote to memory of 2632 5432 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 2632 wrote to memory of 2020 2632 omsecor.exe 90 PID 2632 wrote to memory of 2020 2632 omsecor.exe 90 PID 2632 wrote to memory of 2020 2632 omsecor.exe 90 PID 2632 wrote to memory of 2020 2632 omsecor.exe 90 PID 2632 wrote to memory of 2020 2632 omsecor.exe 90 PID 2020 wrote to memory of 2320 2020 omsecor.exe 114 PID 2020 wrote to memory of 2320 2020 omsecor.exe 114 PID 2020 wrote to memory of 2320 2020 omsecor.exe 114 PID 2320 wrote to memory of 3340 2320 omsecor.exe 115 PID 2320 wrote to memory of 3340 2320 omsecor.exe 115 PID 2320 wrote to memory of 3340 2320 omsecor.exe 115 PID 2320 wrote to memory of 3340 2320 omsecor.exe 115 PID 2320 wrote to memory of 3340 2320 omsecor.exe 115 PID 3340 wrote to memory of 5472 3340 omsecor.exe 117 PID 3340 wrote to memory of 5472 3340 omsecor.exe 117 PID 3340 wrote to memory of 5472 3340 omsecor.exe 117 PID 5472 wrote to memory of 4508 5472 omsecor.exe 118 PID 5472 wrote to memory of 4508 5472 omsecor.exe 118 PID 5472 wrote to memory of 4508 5472 omsecor.exe 118 PID 5472 wrote to memory of 4508 5472 omsecor.exe 118 PID 5472 wrote to memory of 4508 5472 omsecor.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2608⤵
- Program crash
PID:3196
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 3006⤵
- Program crash
PID:1192
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 2964⤵
- Program crash
PID:3860
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 2882⤵
- Program crash
PID:5296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 692 -ip 6921⤵PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2632 -ip 26321⤵PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2320 -ip 23201⤵PID:1256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5472 -ip 54721⤵PID:312
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5594332f25218c9cb36a5186a39612da5
SHA1a80a3fc1f2fe0750d43697a061a4eacc626e01eb
SHA256524dbafcdccf5c36ae9efff0c4714309875c372bf590466e6dffdd3379b46020
SHA512e1c809c1fc4c70e6d4dab831162e840293e1618f8bcb35e1d3695b53dec35fb7191c54e1cd2186302121009cfe38b40092472c7e32c0432d60b47173e42b9e85
-
Filesize
134KB
MD593f948448d75fe7a4a4a4e883e937be6
SHA1b8fa1a12459296bf611d5039b1b369f1b87d4713
SHA256145c6d0b7a309f13ed2073c00570f9234da70fc09cbd5037f8b4db193c75ff99
SHA512b5556b5661fc2574a33e71b9d163bdf774a281512316e437ecd1cfae0ab421fbcf32847bdd74b80c7806db96701681f0addc3ea7596c8b21b0b5c6bbe34423b9
-
Filesize
134KB
MD53e38ddac45ebfa9faa6c069ca99170b6
SHA136093179f7a490e0300d5f36ed3541cf905b3eda
SHA256fe80f07891d5ad1229ea7cb1e873529c9c97bfe733809aeaecbc67987fbc396f
SHA51214d120211e99b2d71dcf7f8279593fc81c90816b5124779c13f0f6ab1660f362131e4cc6c58762ce577d7b83e88e6820dc62891fcf586ef4c340bd882232e67f