Analysis
-
max time kernel
106s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 14:05
Static task
static1
General
-
Target
2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
-
Size
6.3MB
-
MD5
556064dc8f4ec3f38e1d0336b64a9d6d
-
SHA1
429c077a54063cdcd57d8bfe7f3d0ef3d33eddc4
-
SHA256
2949528469b271b19c76ecee742ec023b9609a75680e78ce802bdda6cbdb0a9c
-
SHA512
80f13a4b68deb2eeebefcaba46d5ee25b06591f4a975bbf70a8b942a758ddcbe0ca14fa019b2e21e67a599ba096cb31b37dbcf352d66378b54f14d58594df063
-
SSDEEP
98304:IhvqKRIUawpKjCoSlQ3wTWcS5vXjrH9MSuN0m0FxaL/Xe1jGVl:IhCWGEvpWPzjuF6m0FxaL/Xem
Malware Config
Signatures
-
Detects Mofksys worm 1 IoCs
resource yara_rule behavioral1/files/0x00080000000240f1-10.dat family_mofksys -
Mofksys family
-
Executes dropped EXE 2 IoCs
pid Process 1416 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 1828 icsys.icn.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\explorer.exe icsys.icn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe 1828 icsys.icn.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 1416 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 1416 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 1828 icsys.icn.exe 1828 icsys.icn.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2484 wrote to memory of 1416 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 89 PID 2484 wrote to memory of 1416 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 89 PID 2484 wrote to memory of 1416 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 89 PID 2484 wrote to memory of 1828 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 91 PID 2484 wrote to memory of 1828 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 91 PID 2484 wrote to memory of 1828 2484 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe 91 PID 1828 wrote to memory of 4336 1828 icsys.icn.exe 97 PID 1828 wrote to memory of 4336 1828 icsys.icn.exe 97 PID 1828 wrote to memory of 4336 1828 icsys.icn.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exec:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1416
-
-
C:\Users\Admin\AppData\Roaming\icsys.icn.exeC:\Users\Admin\AppData\Roaming\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\windows\SysWOW64\explorer.exec:\windows\system32\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4336
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
Filesize6.1MB
MD5d5e07266f4e15f3e43ea7ced56c97603
SHA143bb8526d2a927b656b45e193511d97fc5c43d66
SHA2567c0ef5ef4da0efda41f3fa2348b8bfc9b3cc644f9d0d6488b07b9f22adeca794
SHA5129b472a77b4fe3eadd67b3e628f2ed13d8b6ffc82ff4cf309ff428f461736791618840b6b273f93ef3bed1d78d5a3437ddab53d949fd724cb6d8c351109d5970b
-
Filesize
207KB
MD5270c3dc6cbe3cb69b647f201e3a25ede
SHA18e8a5408fa9247a65a2a1bae2a083d2bc9cde3ef
SHA256fc6912de7cbe47a79fc098f51d7092b10b4f951d2a5ee68e5df49ae01fc950be
SHA51281a2e753c11c915416f41e0ba4e63a2a6f71b89f4f6d182995374c930ad2b7081d81dab0c5f7d90b124a8163710e3edd0ef6d56d0da65f2a148213ec180672ef