Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:53
Static task
static1
General
-
Target
2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
134KB
-
MD5
d5b0c8d41a3bdf0883a10842bce1d511
-
SHA1
e302fe0cbe6541337eb0122b75c12421da869c2b
-
SHA256
a3bf4cf6ec4bb929e2bf912297091590528f1e3e902c3f92e51c84d86b87e11f
-
SHA512
c72529a70975ef55017d396872dc35ffaee14c9f2a2d132544c936f0d5999ba772b80698ebb1b60addae59a123d11fdb7a7053680b9c4acf04fdfea24e0709ea
-
SSDEEP
1536:UDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCif:qiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 5568 omsecor.exe 1004 omsecor.exe 5212 omsecor.exe 2072 omsecor.exe 416 omsecor.exe 1000 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4192 set thread context of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 5568 set thread context of 1004 5568 omsecor.exe 89 PID 5212 set thread context of 2072 5212 omsecor.exe 102 PID 416 set thread context of 1000 416 omsecor.exe 106 -
Program crash 4 IoCs
pid pid_target Process procid_target 5464 4192 WerFault.exe 83 5196 5568 WerFault.exe 87 2640 5212 WerFault.exe 101 872 416 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 4192 wrote to memory of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 4192 wrote to memory of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 4192 wrote to memory of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 4192 wrote to memory of 2012 4192 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 84 PID 2012 wrote to memory of 5568 2012 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 87 PID 2012 wrote to memory of 5568 2012 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 87 PID 2012 wrote to memory of 5568 2012 2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe 87 PID 5568 wrote to memory of 1004 5568 omsecor.exe 89 PID 5568 wrote to memory of 1004 5568 omsecor.exe 89 PID 5568 wrote to memory of 1004 5568 omsecor.exe 89 PID 5568 wrote to memory of 1004 5568 omsecor.exe 89 PID 5568 wrote to memory of 1004 5568 omsecor.exe 89 PID 1004 wrote to memory of 5212 1004 omsecor.exe 101 PID 1004 wrote to memory of 5212 1004 omsecor.exe 101 PID 1004 wrote to memory of 5212 1004 omsecor.exe 101 PID 5212 wrote to memory of 2072 5212 omsecor.exe 102 PID 5212 wrote to memory of 2072 5212 omsecor.exe 102 PID 5212 wrote to memory of 2072 5212 omsecor.exe 102 PID 5212 wrote to memory of 2072 5212 omsecor.exe 102 PID 5212 wrote to memory of 2072 5212 omsecor.exe 102 PID 2072 wrote to memory of 416 2072 omsecor.exe 104 PID 2072 wrote to memory of 416 2072 omsecor.exe 104 PID 2072 wrote to memory of 416 2072 omsecor.exe 104 PID 416 wrote to memory of 1000 416 omsecor.exe 106 PID 416 wrote to memory of 1000 416 omsecor.exe 106 PID 416 wrote to memory of 1000 416 omsecor.exe 106 PID 416 wrote to memory of 1000 416 omsecor.exe 106 PID 416 wrote to memory of 1000 416 omsecor.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\Admin\AppData\Local\Temp\2025-07-02_d5b0c8d41a3bdf0883a10842bce1d511_amadey_elex_rhadamanthys_smoke-loader_stop.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5212 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2568⤵
- Program crash
PID:872
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 2966⤵
- Program crash
PID:2640
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 2884⤵
- Program crash
PID:5196
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 3002⤵
- Program crash
PID:5464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4192 -ip 41921⤵PID:5404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5568 -ip 55681⤵PID:5400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5212 -ip 52121⤵PID:556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 416 -ip 4161⤵PID:1492
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD585b289cf20556559517ea08034e29b89
SHA10ed0631fe99bd5c1745a62a271193e66bcab47f8
SHA256f00d44edb72776216aa169bbcc638f9ffe9d5805db3ea230e40dcc2342603820
SHA5126537e0216cc7181e7fa15a4e58fa3472055844f5cd8da02638055d6e7cc083197b4bed6e1638baf1ecd1bc01bfaed266ad1f2890c40a2bfbc5701360ec052e16
-
Filesize
134KB
MD5179957c6bfccc73770a52a21399c337e
SHA152df2802e321e70e989b18d3b3936ce31b817f99
SHA2560a84a09560c736b14cb45df6cd50caa8e8fd72d4c5f6af0f21bb6f9656c3e41b
SHA51294930e72686a97aef3fa8dd3a6f378fc563dc85723b3b491675eefa12992472c41278ae5d53c516ac179551fd814225929bc4f2b7a5360f0fcef7976e0f849fd
-
Filesize
134KB
MD509c2595d4470688cb49a722a3c7471cf
SHA1363278cfc04572b8ac128adf8e8b57a9d04f04f9
SHA256696dbdd03e9c578b8bf0302c6d62f1a0975782a959b3f0a76ff33ec17aaed008
SHA512cff067d0142a94ea881c4682445e6e98502e4839c027484179e3467486729092cf071b3db38e507e6f887a279a9b2374b6bf636052953bc09e49167318365b11