File name:	2025-04-29_7d32ecdb81bb1a07250d335dc5613e20_amadey_elex_rhadamanthys_smoke-loader
Full analysis:	https://app.any.run/tasks/69db7de1-02af-4662-8308-edbf8ddd50f7
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 06:08:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware birele neconyd sinkhole
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:	7D32ECDB81BB1A07250D335DC5613E20
SHA1:	A836F3AA28966D0FA26CED873394A5DBD715AC58
SHA256:	BB37B465C1F8444FF2EFCFA23166F25F8724630E16CFA487DDDD6B41B0F87BF7
SSDEEP:	3072:PR65qaR6CRp/5y03CwJ3/HxMqMdA33M5tC1isyPFCALzv4mlkVVXV9da:PmqaRRRZ/MnA3cQYFCOzv3AVXV

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:11:25 19:36:24+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit, No debug
PEType:	PE32
LinkerVersion:	8
CodeSize:	28672
InitializedDataSize:	98304
UninitializedDataSize:	-
EntryPoint:	0x18b6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	2.1.0.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Comments
FileVersion:	0, 1, 2, 0
InternalName:	CompanyName
LegalCopyright:	LegalTrademarks
OriginalFileName:	Build private
ProductName:	Movie name
ProductVersion:	0, 0, 0, 0


(PID) Process:	(5380) omsecor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5380) omsecor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5380) omsecor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\yYpHriFUdyS-r81lKl88jPGlZr-M05PzoCQ_A6O0gXA\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Voices
Operation:	write	Name:	DefaultTokenId
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250410
Value: 000000006B63337ECDB8DB01
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250411
Value: 000000006B63337ECDB8DB01
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250412
Value: 000000006B63337ECDB8DB01
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250413
Value: 000000003BCA357ECDB8DB01
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250414
Value: 000000003BCA357ECDB8DB01
(PID) Process:	(6512) ShellExperienceHost.exe	Key:	\REGISTRY\A\{3c05c9bb-1048-9a9f-57f5-9791fa51f4ea}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20250415
Value: 000000003BCA357ECDB8DB01

PID	Process	Filename		Type
5668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_omsecor.exe_847c60a65b090bf14ce9a383f272cf488a15e77_6147b191_2229c253-b572-4282-8c15-3f01c894e44c\Report.wer		—
		MD5:—	SHA256:—
1056	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-04-29_7d32e_54a02d34d0d12e9ca8e0651aac06c3e654fcd_ad78248f_4484e9e5-9493-45dd-bd0a-9ec81731ea3a\Report.wer		—
		MD5:—	SHA256:—
5668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC2.tmp.dmp		binary
		MD5:DFC280373F772320887575397822A301	SHA256:387352915CEA80A6D5BCD8326CDB6C69FCFC3D287998B6E65F8D50C4D0417BF8
1056	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE8E.tmp.WERInternalMetadata.xml		xml
		MD5:34194D17CA50606F8BBCAB5FFB180A94	SHA256:C1F6A625610C737E4EDF0E166AF82CA9544114C1E5180A1673B82EB80FAA4F5F
5668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE8F.tmp.WERInternalMetadata.xml		xml
		MD5:11E1E507269CF59D85DC4C242A85A2BE	SHA256:B3C1D8304114309312DB0EFD14FE88AB0C726CE4716B57F8FB9FD9690769CD59
5668	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\omsecor.exe.1512.dmp		binary
		MD5:E0929C15319D2532EF74B0B0F258B3DF	SHA256:95044D7C668C8B017E62ACCA17694020D44683AD2F189D1D02C21D5623CF8785
5668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEEC.tmp.xml		xml
		MD5:6BFBEC3259B79B9AA1512DCE6519CA4D	SHA256:AFCC688BBED1A91B1854D11E6F19E2A55B2052D614191E2EDEFCD48730E9FCCC
1056	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\2025-04-29_7d32ecdb81bb1a07250d335dc5613e20_amadey_elex_rhadamanthys_smoke-loader.exe.7152.dmp		binary
		MD5:5D0DE5F7BEBE7135287867E5DAB52BF0	SHA256:7606836CCBD4E030CCC8D37855C875376DBFFB160F5B433D373A252A56FBB111
1056	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD93.tmp.dmp		binary
		MD5:772D0AFC21D0A6C11CDCA3A7773A730B	SHA256:B2F38114B5A3E1C4A0A1E6EC73B20D63C9763E618899E4BA11D729DF675AA2C6
664	2025-04-29_7d32ecdb81bb1a07250d335dc5613e20_amadey_elex_rhadamanthys_smoke-loader.exe	C:\Users\admin\AppData\Roaming\omsecor.exe		executable
		MD5:53AE946E4FA852D1A356ACE109F40FF3	SHA256:D89B9175DC63FBCAD19CB30EAC93A4751D077E92BF1A2B570EF6A02F9AA334D6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5380	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/574/897.html	unknown	—	—	malicious
5380	omsecor.exe	GET	403	75.2.18.233:80	http://mkkuei4kdsz.com/208/898.html	unknown	—	—	malicious
5380	omsecor.exe	GET	200	44.247.155.67:80	http://ow5dirasuek.com/421/370.html	unknown	—	—	malicious
5380	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/298/453.html	unknown	—	—	malicious
5380	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/912/666.html	unknown	—	—	malicious
5380	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/911/637.html	unknown	—	—	malicious
5380	omsecor.exe	GET	—	75.2.18.233:80	http://mkkuei4kdsz.com/841/808.html	unknown	—	—	malicious
—	—	POST	500	13.77.207.86:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	13.77.207.86:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5380	omsecor.exe	193.166.255.171:80	lousta.net	Tieteen tietotekniikan keskus Oy	FI	malicious
4	System	192.168.100.255:137	—	—	—	whitelisted
5380	omsecor.exe	75.2.18.233:80	mkkuei4kdsz.com	AMAZON-02	US	malicious
5380	omsecor.exe	44.247.155.67:80	ow5dirasuek.com	AMAZON-02	US	malicious
4436	slui.exe	13.77.207.86:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2692	slui.exe	13.77.207.86:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.174	whitelisted
lousta.net	193.166.255.171	malicious
mkkuei4kdsz.com	75.2.18.233	malicious
ow5dirasuek.com	44.247.155.67	malicious
activation-v2.sls.microsoft.com	13.77.207.86	whitelisted

PID	Process	Class	Message
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
5380	omsecor.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5380	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin

General Info

2025-04-29_7d32ecdb81bb1a07250d335dc5613e20_amadey_elex_rhadamanthys_smoke-loader

7D32ECDB81BB1A07250D335DC5613E20

A836F3AA28966D0FA26CED873394A5DBD715AC58

BB37B465C1F8444FF2EFCFA23166F25F8724630E16CFA487DDDD6B41B0F87BF7

3072:PR65qaR6CRp/5y03CwJ3/HxMqMdA33M5tC1isyPFCALzv4mlkVVXV9da:PmqaRRRZ/MnA3cQYFCOzv3AVXV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Neconyd has been detected

BIRELE has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes application which crashes

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Reads the computer name

Checks proxy server information

Failed to create an executable file in Windows directory

Reads the software policy settings

Process checks computer location settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings