Analysis
-
max time kernel
145s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
30/03/2025, 16:09
General
-
Target
2025-03-30_1e7736c45ca86406b14dc22de70d8300_amadey_rhadamanthys_smoke-loader.exe
-
Size
6.1MB
-
MD5
1e7736c45ca86406b14dc22de70d8300
-
SHA1
76dea3dab0663a74a20dd319daecdfcbd9f2865b
-
SHA256
3f063eff823d07a9f5ea740aa5975b92b6e4a238f7bc0eb222de244b0d4516d2
-
SHA512
ce9450b461e63e754e21947ea5b7ab9b2c617bc2332745008d2f19dc7f9c2f5072f2d66a2d8378e4e9669e210dc7ac21e2fc5d3b8ff8e6133f49c16e876393cb
-
SSDEEP
98304:2oqTB3hkFfGMTPQLco1gufrVqV26hgDFrteSdvggzmRLIo6Eg0:6hkFfGMkASVqV26hgDneS1FyRUo6Eg0
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 17 IoCs
-
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Drops file in System32 directory 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_1e7736c45ca86406b14dc22de70d8300_amadey_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_1e7736c45ca86406b14dc22de70d8300_amadey_rhadamanthys_smoke-loader.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xwgzdtlvzl.exe"C:\Users\Admin\AppData\Local\Temp\xwgzdtlvzl.exe" "C:\Users\Admin\AppData\Local\Temp\fsbneqzuga.exe" "C:\Users\Admin\AppData\Local\Temp\2025-03-30_1e7736c45ca86406b14dc22de70d8300_amadey_rhadamanthys_smoke-loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\favplredvy.exeC:\Users\Admin\AppData\Local\Temp\favplredvy.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe/c sc config msdtc obj= LocalSystem4⤵
-
C:\Windows\system32\sc.exesc config msdtc obj= LocalSystem5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Qaz7n9N0.bat"4⤵
-
-
C:\Windows\System32\bindsvc.exe"C:\Windows\System32\bindsvc.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word2⤵
-
-
C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word2⤵
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchUserHost.exeC:\Windows\system32\SearchUserHost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/c systeminfo3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exe/c "tasklist /v"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /v4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe/c "netstat -ano"3⤵
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe/c "ipconfig /all"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exe/c "route print"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ROUTE.EXEroute print4⤵
-
-
-
C:\Windows\system32\cmd.exe/c "arp -a"3⤵
- Network Service Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ARP.EXEarp -a4⤵
- Network Service Discovery
-
-
-
C:\Windows\system32\cmd.exe/c "tasklist /m msfte.dll"3⤵
-
C:\Windows\system32\tasklist.exetasklist /m msfte.dll4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe/c "net share"3⤵
-
C:\Windows\system32\net.exenet share4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
-
C:\Windows\system32\cmd.exe/c "ping server"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping server4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\cmd.exe/c "sc query hfile.sys"3⤵
-
C:\Windows\system32\sc.exesc query hfile.sys4⤵
- Launches sc.exe
-
-
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 548 552 560 65536 5562⤵
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Network Service Discovery
1Network Share Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5cf9c2f860937ef409d320b78111a6590
SHA10572e7a11c9e818e9626e3e5438abf1728c3e0fa
SHA256c15a955992021f4640e40f8aa18b459521458b904c2e0153d944f40118b5c660
SHA5126e50d2894588f79d33ffd93e069d848ef9fe64b5dfbcbc1ed5379768555d5dfed4bc8d9e5cf9a58e56b14e73d80c49363a23966b0fe0ccd8c9e2ff08720618b7
-
Filesize
17KB
MD5b6059cac820365a2120f8b041be0b579
SHA1009a6beb10a1dd11ea0be4970c9805673411c3e4
SHA25645990fd5ffca247ad39550d8cacb5487575c3891522a09abd60a12a98d16936e
SHA512ddbe35e1f586ff0daa15665c003a203dd6c28fd621b13f0a289c863c0d325d906a4780cf8621bbd9915b0872a0b9b8e69fe403b48eb82264c95b0a30e5f315d7
-
Filesize
196B
MD5e5e0d60c0250439f49ad6656c3f5422c
SHA13751594794c3b738b1d379461c8d1753bfaf81ce
SHA2564fae3cf59f200bb289285720c87a0b4a33cb1e46b29621bec5fd199a82fc950a
SHA5125623a75d24eded618f50786d30c732373cf5ce1388050b0c67b20936b1eec877d95c7c75d271aa30d5faf5d57e70e3855ae4ab71abc8040e1d273cb592ad4d8b
-
Filesize
878B
MD500e1ddc163b58b9e93e4f45de35e477d
SHA1164fb3598ce2529ef017f66e5116bec4c05cd705
SHA256f1d14cac5826a6f6f65fde5d4811376f2c3a75b02363540cd8f031feb19865e8
SHA512ff69091985f5a811b02328b710c32e94ad0ecd06168ae5b765f37fafdb78c4a6135ac74005d269d9b17226610095c0fe2c83bc8f81d0c2d0b2c5b4fc5a1a37f7
-
Filesize
2KB
MD59fab1ef4ecb819bd5aaae5ccb458eaf8
SHA10c0256c1d272a0069b8670da0517605cb2554c92
SHA256d1dc5ad5613d7c874bc3674b3b838cac20f09272fd114d9ece2c389a08a63ba2
SHA51217a872988603391f20bbda29456f29bb939ccd549aa9af1ce51780abb7f06811a4bf0e6d0ff76efdfb707c20e40fe6aeef0cf29cdc9681a08d03821b4074a7fa
-
Filesize
1KB
MD58a508230811b3c39fee95227f476cb6a
SHA1cb9eb41d95a98d08f9bda6e7ffd9e1dd5865fc23
SHA256ad0d8d80e8820860988b5f12951ec462f0c9bfbf0833147ac3ea4671d8bd1fa2
SHA512b71748bde50324dc8d041e8c84ffcc2bb169706ed64d287557d13055b6d1e143ab20b09a025981aee0fc39b734b03a10e1a7e4b446ef43f798b09a877123bd3c
-
Filesize
7KB
MD5fe69433b1567c1069986438d30c55421
SHA1dd1b837ef6681000104694d383b146288476724a
SHA2560247d8bfd75820849006746ee747c78ac8a115498a1bb5f55b7954d516b607e4
SHA5125eefb838ebc8b36b2ed756d4083eaf67444e4509ea1331548dabb12d59512e067daac6f7663acecbc6b082369ec0253f97ec1a691215d883e094475216265531
-
Filesize
15KB
MD5e132b349801f03f8d74d481429bd9155
SHA17082a55da84bc76cc8af75c0da4ed6b929696fee
SHA256301353ba8f0bd28155510cdab6883bc4ec23848f6352ce296c458344094c065b
SHA512a2652364a136379f426dc4748081241a1527cc056b6596f7c7ecd5e17fb5e810a312bce2c7258abb16dba38567146e0fac4bab11d2c8ce2e40386a5af8c2884c
-
Filesize
4KB
MD52fa8a53fd78d70193b0ab7141df65aa3
SHA10cd0cf43cfd91e9d81e3e81e75410300b146f166
SHA25698f20982bace16d3279a7e1e0ff68f99380ae787215819105e4d32295f531b06
SHA5129e4260df494d2d70bfc4ba4da9184f2cdf085da328ad243f12e77a69c1016bd6a4668cedaa3a9bbc9a690af34f66adc6a878cf6a851d41ca8bda2de0930823ac
-
Filesize
1KB
MD53439318cedcf37c1bf5fe6d49ddbb2cb
SHA1e075965bb3b38abdd80668fb6101a0d10b30f080
SHA2566484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8
SHA5123dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61
-
Filesize
244KB
MD542ec9065d9bf266ade924b066c783a56
SHA1a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77
SHA2564ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc
SHA512e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980
-
Filesize
291KB
MD57c5b397fb54d5aa06bd2a6fb99c62fee
SHA1a9e0bf7bbabf6ab9e294156985537ae972ebd743
SHA256d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee
SHA512daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c
-
Filesize
580KB
MD52c2029588ad8b86759c17b7ae885ee03
SHA191653b5344d4c210201218e2f215dd5228d76799
SHA2563ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290
SHA51288531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f
-
Filesize
51KB
MD5e48b89715bf5e4c55eb5a1fed67865d9
SHA189a287da39e14b02cdc284eb287549462346d724
SHA256c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e
SHA5124bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c
-
Filesize
217KB
MD5d7ddfd90c55ad42200b2a7e51110ad87
SHA10c9429f0b51a73423de4cb0ecf10fd3b3bacd84d
SHA2564fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446
SHA5128ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB