c9c0e8c7ef86cf19ac93b4d5742aeb666c815e6dfdb5585e4b87b1dfb5bf56c1

General

Target

2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Size

1.6MB
MD5

060029c8c2aca9ed45367e412b298557
SHA1

85d5f41f531e65d8435dde3bf7f2fe6d19412f9e
SHA256

c9c0e8c7ef86cf19ac93b4d5742aeb666c815e6dfdb5585e4b87b1dfb5bf56c1
SHA512

e2a3322bf729a7d8cb61b958a39c3320436ff872e91df0cd36b112cf210ac42288445a582ae3b8de9008cfbb3fb7641ad92b724a05cf4066baa9f101a2a91f91
SSDEEP

24576:YvO2xJKRI2FOkx2LFEvcUQPxuZ98Es8k3OH3C0rQ6+8pKJJFo3Q+qdCOKIbAKjH4:YHHKO29Qm5QZuTtS0rQMYOQ+q8CEKT4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3816	16282e52

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	56	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	145	114.114.114.114	3816	16282e52
Destination IP	356	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	386	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	1	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	14	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	55	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	355	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	101	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	118	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	155	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	186	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	292	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	177	114.114.114.114	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	293	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Destination IP	387	223.5.5.5	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	16282e52
File created	C:\Windows\SysWOW64\16282e52	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_F61B1F59C39D3BA0EA8DE9893578D2FA	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	16282e52
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_F61B1F59C39D3BA0EA8DE9893578D2FA	16282e52

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5f1ee8	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
File opened for modification	C:\Windows\4154d0	16282e52

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16282e52

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	16282e52
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	16282e52
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	16282e52
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	16282e52
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	16282e52
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	16282e52
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	16282e52
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	16282e52
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	16282e52

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3816	16282e52
3816	16282e52
3816	16282e52
3816	16282e52
3816	16282e52
3816	16282e52
3816	16282e52
3816	16282e52
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Token: SeTcbPrivilege	5556	2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
Token: SeDebugPrivilege	3816	16282e52
Token: SeTcbPrivilege	3816	16282e52

C:\Users\Admin\AppData\Local\Temp\2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_060029c8c2aca9ed45367e412b298557_amadey_elex_mafia_smoke-loader.exe"
1⤵
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556

C:\Windows\Syswow64\16282e52
C:\Windows\Syswow64\16282e52
1⤵
- Executes dropped EXE
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\16282e52

Filesize
1.6MB

MD5
132edc4b894340d4dc8fe756ceab1343

SHA1
7229610ad6a2a082c7a40d1ba397883081103361

SHA256
846f963a5cd08aad24866854560ef664e571010a3e345d33290ba77879f595a4

SHA512
b2af28063787354fcd749cd1167c4298e6191c6c44227fa80b31c2000e507b82fb860ea099676b6d2986fc489d1180f719f59cf1f505f4a27453c1d4c82a2837

Download Submit
memory/3816-4-0x0000000000C50000-0x0000000000CB3000-memory.dmp

Filesize
396KB

Download
memory/5556-0-0x0000000000B70000-0x0000000000BD3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing