Analysis

  • max time kernel
    146s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 18:54

General

  • Target

    2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe

  • Size

    754KB

  • MD5

    e7a1294ae66a9b255f984b45c5a1a3e6

  • SHA1

    4fa6fff2aa486b9ad08829b914926635bc7c5e2b

  • SHA256

    b9bb7ad541c02f06c2549a3fe83e484d8e8ea551801e3e01f2c80996477aa043

  • SHA512

    38a850cc7f19283ee0eeae9bb2a37c335dc06c742ecd07e2deba974aac83a7a73de845fc10aa65653c327676572c93c7150e6b54c745235b45bf133743cb62ab

  • SSDEEP

    12288:amhjKOXdUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxiOqOF:thLalj3DSudvGM3MXTVhtSQWGtxt

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 8 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe
      "C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe" "C:\Users\Admin\AppData\Local\Temp\ubwesknsgx.exe" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4892
    • C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe
      C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5292
      • C:\Windows\System32\cmd.exe
        /c sc config msdtc obj= LocalSystem
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6044
        • C:\Windows\system32\sc.exe
          sc config msdtc obj= LocalSystem
          4⤵
          • Launches sc.exe
          PID:4588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1Ib3S27M.bat"
        3⤵
          PID:5580
        • C:\Windows\System32\bindsvc.exe
          "C:\Windows\System32\bindsvc.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:6060
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\System32\SearchProtocolHost.exe
        "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:1020
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 828 2640 2204 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
        2⤵
        • Modifies data under HKEY_USERS
        PID:4888
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 828 2768 2344 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
        2⤵
        • Modifies data under HKEY_USERS
        PID:4904

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1Ib3S27M.bat

            Filesize

            196B

            MD5

            2e89099b065a8497f21a87c063f7a2fa

            SHA1

            39b8a88357941002bc1b0279466280b034bdc3e2

            SHA256

            d010fbd4c4ab965ce63ce21bbb64c286c5f407b3548da5adf36e055f33738108

            SHA512

            4208d16d8627d310f151799299b1b59633ac7322db94cd4063b4102e652db5849e929dac723ecc3d607d706b26cdb44ed1701db77023091478d2e33c8ad23002

          • C:\Users\Admin\AppData\Local\Temp\ubwesknsgx.exe

            Filesize

            38KB

            MD5

            f659ba68d92152adb1b88fece9c9bda5

            SHA1

            c5b10c7b66b35bcbd7e1ab6cd36bb8439d80214d

            SHA256

            b1955a36fee6be734dbe3fd7f68eec972cbaf9af4b694f3bf718f85689e2235a

            SHA512

            de4b9764291100b40d9bd6620d1ef19c9552760441d266073017f577e2f8475e4884a6ce5587bd045f7e90e2faf1f97b229965974f1fd81cf58140b6d05098f0

          • C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe

            Filesize

            51KB

            MD5

            e48b89715bf5e4c55eb5a1fed67865d9

            SHA1

            89a287da39e14b02cdc284eb287549462346d724

            SHA256

            c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

            SHA512

            4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

          • C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe

            Filesize

            580KB

            MD5

            2c2029588ad8b86759c17b7ae885ee03

            SHA1

            91653b5344d4c210201218e2f215dd5228d76799

            SHA256

            3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

            SHA512

            88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

          • C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

            Filesize

            1KB

            MD5

            1bfb02f2b271e4120c8a147b7faed27d

            SHA1

            7de18acfd9cfd7b2e4276c0f882a0086261e0b31

            SHA256

            4ea416ebbbf8f2d35f09514cb513796694c2bc28d41e023c5a849e1c0bcd7c02

            SHA512

            bc89dc24cb5926bff603dee68de40b60b59551ef750b712125bdb37caff08c6ffd45ca631230a4d149a3d23f8206e96b4718d07e0cd17dc1aa453f3ccb231a29

          • C:\Windows\System32\bindsvc.exe

            Filesize

            291KB

            MD5

            7c5b397fb54d5aa06bd2a6fb99c62fee

            SHA1

            a9e0bf7bbabf6ab9e294156985537ae972ebd743

            SHA256

            d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

            SHA512

            daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

          • memory/1920-21-0x0000025D8E7C0000-0x0000025D8E7D0000-memory.dmp

            Filesize

            64KB

          • memory/1920-37-0x0000025D8E8C0000-0x0000025D8E8D0000-memory.dmp

            Filesize

            64KB

          • memory/1920-53-0x0000025D96DB0000-0x0000025D96DB8000-memory.dmp

            Filesize

            32KB

          • memory/4888-94-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-109-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-77-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-76-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-78-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-80-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-81-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-82-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-83-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-85-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-87-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-86-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-84-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-79-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-88-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-89-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-90-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-92-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-93-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-91-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-103-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-102-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-101-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-100-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-99-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-98-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-97-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-96-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-95-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-72-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-104-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-105-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-106-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-75-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-108-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-107-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-110-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-114-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-116-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-117-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-119-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-121-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-125-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-126-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-132-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-131-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-130-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-129-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-128-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-127-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-124-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-123-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-122-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-120-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-118-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-115-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-113-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-111-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-112-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-73-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4888-74-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

            Filesize

            64KB

          • memory/4892-71-0x0000000005660000-0x000000000566A000-memory.dmp

            Filesize

            40KB

          • memory/4892-70-0x00000000055B0000-0x0000000005642000-memory.dmp

            Filesize

            584KB

          • memory/4892-69-0x0000000005C30000-0x00000000061D6000-memory.dmp

            Filesize

            5.6MB

          • memory/4892-68-0x0000000000C50000-0x0000000000C60000-memory.dmp

            Filesize

            64KB

          • memory/5292-15-0x0000000000B60000-0x0000000000CDA000-memory.dmp

            Filesize

            1.5MB

          • memory/5292-174-0x0000000000B60000-0x0000000000CDA000-memory.dmp

            Filesize

            1.5MB

          • memory/5292-183-0x0000000000B60000-0x0000000000CDA000-memory.dmp

            Filesize

            1.5MB