5bb314b25061f56152e69b96ce60ff0cdde1e9fa92accfa56aa64e15fee506d8

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
Size

8.0MB
MD5

721a90101f7ce597a9fa16501def6950
SHA1

f14e6a307a929e8e6a17d9e4ec0a3d388dae01b8
SHA256

5bb314b25061f56152e69b96ce60ff0cdde1e9fa92accfa56aa64e15fee506d8
SHA512

70960ab66b7084dce11632f4f0230d98798f372d046fbcc39c78690d85f101cc0ceff91f5dd997aa314ed38cca36d74606305719c4e32b4699c99f03825aa3dc
SSDEEP

98304:nCHNToqTB3xuPzVXAhN0EczQqzaAzganpL8UHdCHNcFLOAkGkzdnEVomFHKnP0:nC9sPJ3zQqLCOFLOyomFHKnP0

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe

Executes dropped EXE 3 IoCs

pid	Process
3988	remmrfgngw.exe
2280	aedfjbljci.exe
5028	bindsvc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wideshut.exe	aedfjbljci.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	aedfjbljci.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	aedfjbljci.exe
File created	C:\Windows\SysWOW64\racfg.exe	aedfjbljci.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	aedfjbljci.exe
File created	C:\Windows\system32\msfte.dll	aedfjbljci.exe
File created	C:\Windows\system32\oci.dll	aedfjbljci.exe
File created	C:\Windows\System32\bindsvc.exe	aedfjbljci.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2280-12-0x0000000000D50000-0x0000000000ECA000-memory.dmp	upx
behavioral2/files/0x000700000002423b-11.dat	upx
behavioral2/memory/2280-65-0x0000000000D50000-0x0000000000ECA000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5116	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remmrfgngw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aedfjbljci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bindsvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b89e6e08ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2cdcad78ea1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000846644d88ea1db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc3a3d88ea1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b94f6fd88ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007865a1e08ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004cb08d88ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa2787d88ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6e0ddd78ea1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da2868d88ea1db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091bf00d98ea1db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	aedfjbljci.exe
2280	aedfjbljci.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	1080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1080	SearchIndexer.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5728 wrote to memory of 3988	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	91
PID 5728 wrote to memory of 3988	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	91
PID 5728 wrote to memory of 3988	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	91
PID 5728 wrote to memory of 2280	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	92
PID 5728 wrote to memory of 2280	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	92
PID 5728 wrote to memory of 2280	5728	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	92
PID 1080 wrote to memory of 6136	1080	SearchIndexer.exe	94
PID 1080 wrote to memory of 6136	1080	SearchIndexer.exe	94
PID 1080 wrote to memory of 4732	1080	SearchIndexer.exe	95
PID 1080 wrote to memory of 4732	1080	SearchIndexer.exe	95
PID 2280 wrote to memory of 4880	2280	aedfjbljci.exe	96
PID 2280 wrote to memory of 4880	2280	aedfjbljci.exe	96
PID 4880 wrote to memory of 5116	4880	cmd.exe	98
PID 4880 wrote to memory of 5116	4880	cmd.exe	98
PID 2280 wrote to memory of 5016	2280	aedfjbljci.exe	101
PID 2280 wrote to memory of 5016	2280	aedfjbljci.exe	101
PID 2280 wrote to memory of 5028	2280	aedfjbljci.exe	103
PID 2280 wrote to memory of 5028	2280	aedfjbljci.exe	103
PID 2280 wrote to memory of 5028	2280	aedfjbljci.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Users\Admin\AppData\Local\Temp\remmrfgngw.exe
  "C:\Users\Admin\AppData\Local\Temp\remmrfgngw.exe" "C:\Users\Admin\AppData\Local\Temp\ungpzepqiq.exe" "C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\aedfjbljci.exe
  C:\Users\Admin\AppData\Local\Temp\aedfjbljci.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\System32\cmd.exe
    /c sc config msdtc obj= LocalSystem
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\sc.exe
      sc config msdtc obj= LocalSystem
      4⤵
      Launches sc.exe
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\M90bRVIl.bat"
    3⤵
    PID:5016
- - C:\Windows\System32\bindsvc.exe
    "C:\Windows\System32\bindsvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5028

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M90bRVIl.bat

Filesize
196B

MD5
453c2ca7e14b2d8d46de4a1c65d103fe

SHA1
0ab6091004c4f007cfe893c46af2709eafca8b07

SHA256
856f7d8f4d6be6da96094998669a2811fcf5c75f7c0f4c0d44515393fc9f2247

SHA512
73b6a93c28b53184e02a355cf9286d01f9efab01e2455fe2c79112b41e8cca4f51bc3d43c0c8793933b1b0c356c82c1345e9150835a59266aafab25649920c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aedfjbljci.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\remmrfgngw.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
486756962d11e98ce75c16828185385f

SHA1
bf79a0a359e5661e7778377da840f28cc83c9d8b

SHA256
076a30f7aaead4b85c6cae7f6956d09294d03edfe2eaf74eb87a135db22fc86f

SHA512
0a57dad56fedff2e7f0778c0d7e17b8d6b6a9990ca3bdbd5e1073e64685265f701fd8a021baecec551052815692c676a3359550142039421c7b03893ac565039

Download Submit
C:\Windows\SysWOW64\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
memory/1080-34-0x0000027E4AFE0000-0x0000027E4AFF0000-memory.dmp

Filesize
64KB

Download
memory/1080-18-0x0000027E4AEE0000-0x0000027E4AEF0000-memory.dmp

Filesize
64KB

Download
memory/1080-50-0x0000027E534D0000-0x0000027E534D8000-memory.dmp

Filesize
32KB

Download
memory/1080-74-0x0000027E54BD0000-0x0000027E54BD8000-memory.dmp

Filesize
32KB

Download
memory/2280-12-0x0000000000D50000-0x0000000000ECA000-memory.dmp

Filesize
1.5MB

Download
memory/2280-65-0x0000000000D50000-0x0000000000ECA000-memory.dmp

Filesize
1.5MB

Download
memory/4732-87-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-82-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-78-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-79-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-80-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-81-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-83-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-84-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-85-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-76-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-89-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-90-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-91-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-88-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-86-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-77-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-92-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-93-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-94-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-95-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-96-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-97-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-101-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-100-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-99-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-98-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-102-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-103-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download
memory/4732-104-0x00000119AA5A0000-0x00000119AA5B0000-memory.dmp

Filesize
64KB

Download