Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
134KB
-
MD5
b605fbc7a11d3e1b799e6980118313ed
-
SHA1
1bcb8685cbe83507323a269c0ac47fc72264e9d7
-
SHA256
8c38c395be0daf5c90ffd44263af56a2d5fa0d109dd03fbca087ad6f976c1f3f
-
SHA512
99ef6ca59efd0ab33cb7727bb5615fb4278e3f2de7af2141a7bd668cde89690f87335071e3d24ca283f7479b2ee1a4a9e8f394752c80ff6d1c4174063239e8dd
-
SSDEEP
1536:oDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:OiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4144 omsecor.exe 3452 omsecor.exe 4924 omsecor.exe 4984 omsecor.exe 5040 omsecor.exe 5780 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1776 set thread context of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 4144 set thread context of 3452 4144 omsecor.exe 83 PID 4924 set thread context of 4984 4924 omsecor.exe 87 PID 5040 set thread context of 5780 5040 omsecor.exe 90 -
Program crash 4 IoCs
pid pid_target Process procid_target 780 1776 WerFault.exe 77 2376 4144 WerFault.exe 81 1996 4924 WerFault.exe 86 5048 5040 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1776 wrote to memory of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 1776 wrote to memory of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 1776 wrote to memory of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 1776 wrote to memory of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 1776 wrote to memory of 5700 1776 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 78 PID 5700 wrote to memory of 4144 5700 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 81 PID 5700 wrote to memory of 4144 5700 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 81 PID 5700 wrote to memory of 4144 5700 2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe 81 PID 4144 wrote to memory of 3452 4144 omsecor.exe 83 PID 4144 wrote to memory of 3452 4144 omsecor.exe 83 PID 4144 wrote to memory of 3452 4144 omsecor.exe 83 PID 4144 wrote to memory of 3452 4144 omsecor.exe 83 PID 4144 wrote to memory of 3452 4144 omsecor.exe 83 PID 3452 wrote to memory of 4924 3452 omsecor.exe 86 PID 3452 wrote to memory of 4924 3452 omsecor.exe 86 PID 3452 wrote to memory of 4924 3452 omsecor.exe 86 PID 4924 wrote to memory of 4984 4924 omsecor.exe 87 PID 4924 wrote to memory of 4984 4924 omsecor.exe 87 PID 4924 wrote to memory of 4984 4924 omsecor.exe 87 PID 4924 wrote to memory of 4984 4924 omsecor.exe 87 PID 4924 wrote to memory of 4984 4924 omsecor.exe 87 PID 4984 wrote to memory of 5040 4984 omsecor.exe 89 PID 4984 wrote to memory of 5040 4984 omsecor.exe 89 PID 4984 wrote to memory of 5040 4984 omsecor.exe 89 PID 5040 wrote to memory of 5780 5040 omsecor.exe 90 PID 5040 wrote to memory of 5780 5040 omsecor.exe 90 PID 5040 wrote to memory of 5780 5040 omsecor.exe 90 PID 5040 wrote to memory of 5780 5040 omsecor.exe 90 PID 5040 wrote to memory of 5780 5040 omsecor.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\Admin\AppData\Local\Temp\2025-07-02_b605fbc7a11d3e1b799e6980118313ed_amadey_elex_rhadamanthys_smoke-loader_stop.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5700 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 2688⤵
- Program crash
PID:5048
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 3046⤵
- Program crash
PID:1996
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 3124⤵
- Program crash
PID:2376
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 3002⤵
- Program crash
PID:780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1776 -ip 17761⤵PID:2100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4144 -ip 41441⤵PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 49241⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5040 -ip 50401⤵PID:404
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5bc70b2c2d130a9d979c297e9c1e87980
SHA1d924ec21cdbb6d9b48d79fa373689a674e59f59a
SHA2564507c07a5a14dbbdbbd9a91b48f3889a53f1ebfab59d967bf04671b3eb54ee28
SHA512e61d03f2206365eb13597ddf1c26ed602ab4ec7258c48fa6da92d7713cdb324ba2448f39a4a501b50c0a10208b210597928db743bb448d26be8a4df6274d6841
-
Filesize
134KB
MD5594332f25218c9cb36a5186a39612da5
SHA1a80a3fc1f2fe0750d43697a061a4eacc626e01eb
SHA256524dbafcdccf5c36ae9efff0c4714309875c372bf590466e6dffdd3379b46020
SHA512e1c809c1fc4c70e6d4dab831162e840293e1618f8bcb35e1d3695b53dec35fb7191c54e1cd2186302121009cfe38b40092472c7e32c0432d60b47173e42b9e85
-
Filesize
134KB
MD5b898f671200923edec86c5e9f6c21b60
SHA11160b70a770a251861c76736ff2700a98765ae90
SHA2560f265bb4acaf8b8b2d104e0413281da9e9cb451536e0489eb0bd391f99153f5c
SHA5123ecf29d186426478e040f3e8df8936820ac513bed37d6f6388124e13fc3ae13fe356a13d08d7fe3c3aa7ea2f2d5abfd45edd2da7f599fdae3b44d6ff8ef8aeac