Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe
-
Size
1.1MB
-
MD5
07db9ac75e149b7f06fe2ecb428844bb
-
SHA1
ddd6827f4cedd11c504da25908d54f44d53c14a1
-
SHA256
1c646d1f4c5e5f034359ebeeb75bbc8b57a82f12c220f4b244e724649fb99b19
-
SHA512
f26676df139563316b8c1846366ade0862c3e8a4aac9c2e3c271d766adbe8cbc2d7abc380b6769186b52f7b3da990d7a3cb09411aa79cc8d2745d2183a2cdaf5
-
SSDEEP
24576:cFOaSyFZU7IlP6RUhTuCaSNMAoFcGUhgqf4x:sGZUhTgsMAoCGagxx
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 2416 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 3440 icsys.icn.exe 2708 explorer.exe 4996 spoolsv.exe 4876 svchost.exe 1376 spoolsv.exe 3504 svchost.exe 2196 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2708 explorer.exe 4876 svchost.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 3440 icsys.icn.exe 3440 icsys.icn.exe 2708 explorer.exe 2708 explorer.exe 4996 spoolsv.exe 4996 spoolsv.exe 4876 svchost.exe 4876 svchost.exe 1376 spoolsv.exe 1376 spoolsv.exe 3504 svchost.exe 3504 svchost.exe 2196 explorer.exe 2196 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2416 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 85 PID 4708 wrote to memory of 2416 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 85 PID 4708 wrote to memory of 2416 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 85 PID 4708 wrote to memory of 3440 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 87 PID 4708 wrote to memory of 3440 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 87 PID 4708 wrote to memory of 3440 4708 2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 87 PID 3440 wrote to memory of 2708 3440 icsys.icn.exe 88 PID 3440 wrote to memory of 2708 3440 icsys.icn.exe 88 PID 3440 wrote to memory of 2708 3440 icsys.icn.exe 88 PID 2708 wrote to memory of 4996 2708 explorer.exe 90 PID 2708 wrote to memory of 4996 2708 explorer.exe 90 PID 2708 wrote to memory of 4996 2708 explorer.exe 90 PID 4996 wrote to memory of 4876 4996 spoolsv.exe 91 PID 4996 wrote to memory of 4876 4996 spoolsv.exe 91 PID 4996 wrote to memory of 4876 4996 spoolsv.exe 91 PID 4876 wrote to memory of 1376 4876 svchost.exe 92 PID 4876 wrote to memory of 1376 4876 svchost.exe 92 PID 4876 wrote to memory of 1376 4876 svchost.exe 92 PID 4132 wrote to memory of 3504 4132 cmd.exe 97 PID 4132 wrote to memory of 3504 4132 cmd.exe 97 PID 4132 wrote to memory of 3504 4132 cmd.exe 97 PID 3472 wrote to memory of 2196 3472 cmd.exe 98 PID 3472 wrote to memory of 2196 3472 cmd.exe 98 PID 3472 wrote to memory of 2196 3472 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\users\admin\appdata\local\temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exec:\users\admin\appdata\local\temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3504
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe
Filesize1016KB
MD5489c0f5b5966f14f43a52a5860489a14
SHA1ccd2de35d4ddc416347b5ddce0f809b7cda1d165
SHA2569d24373fac83e14571ef0f9f4f2083ca137f16039058b8dd80535b38e7db1974
SHA5126a31c1c7a9232cf6fdfcbd777eb48b9a8d84eb9c69f39ef7c269dd8a8483756f4ddcae5c8478b100d165bfae9bf024396cd21aba77f996826cea4913f382f024
-
Filesize
403B
MD533039bae56792bcc6c5bfefaab4002ee
SHA1428af59f494f19f23b19388fcb8fefd9491e301f
SHA256b84a26fc26b1803f4a1b52f606c7a2fa4e15172c02a0e6333694b1377a56caf0
SHA5124e7beb9794c164474caad667819cf8be7247e512be51449f419da7561a908caef21edecb16683f629f5a50c2cd6fcddf996a48ab46470da65ace98a2a193f8f0
-
Filesize
135KB
MD5e7ece1f9d048decafe4d33509e23d1da
SHA12eac31d35eda722f281757405b26bf09da09f70d
SHA256b30b634376d91174dc5a97d49a6d3e94994b85f4a24b8c9d8b960c9fb66a5b0c
SHA512efc9ba2cdfe6facb9499514cb64422c5fe436f16cec70fc8aea7503428668f7f383f2d75d5f87c2b1425056b61df6151f237406d32543b742933a8966cb85635
-
Filesize
135KB
MD5e53e7c00ebc9c91f8e438d3e5f972405
SHA189f45635f5369adcb0fac8dcdfecc08f496bbf04
SHA2563bce5366a0b06f4078417ae88f9efe71293ac18623749387058776dc3944cc78
SHA512f5c47d3057c313bf2ce72de3cb252bce04b5b46bdce92b9c35245605fe677ca89dad2cb6d2f47017d80e597f760cd6f2c308a0ee276e076c0f1dd6cc6d930e41
-
Filesize
135KB
MD5f643f9525d3babeb5cbbc05ccafdc7f9
SHA18e88b63d9557a40ccb40ce338d78c0c6f0033bb6
SHA25617b49f0672ed8490dc38c26fddfddd2355bdc6ae29974a08d3b4c295ab35815d
SHA5125c43bb57d267279276cca9abcf8b0d6534d89b5d12416f2d09f0f63e5681f247e4a0f94fb27c33daaf76c61e1ccb24e8f963d67f7ab273bf46a0d26e09d9e975
-
Filesize
135KB
MD5a4ddb5cafab9c3681d9f7db9e55749a2
SHA14ce490c50ac18290ea1a9700964905ee3d780efe
SHA2564cc2a79704cb68f55272995bab8b35546caf41ec9b4461aa2c575ebe8b4014d5
SHA5127caf04d807b47fe2770f4740613bca46ddba181b37c93100d52a535f6d3399e2d1cb301c8b9a38aff80ca4025b6e42e399382d047033c5b145aca2cd09582277