Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:27

General

  • Target

    2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe

  • Size

    1.1MB

  • MD5

    07db9ac75e149b7f06fe2ecb428844bb

  • SHA1

    ddd6827f4cedd11c504da25908d54f44d53c14a1

  • SHA256

    1c646d1f4c5e5f034359ebeeb75bbc8b57a82f12c220f4b244e724649fb99b19

  • SHA512

    f26676df139563316b8c1846366ade0862c3e8a4aac9c2e3c271d766adbe8cbc2d7abc380b6769186b52f7b3da990d7a3cb09411aa79cc8d2745d2183a2cdaf5

  • SSDEEP

    24576:cFOaSyFZU7IlP6RUhTuCaSNMAoFcGUhgqf4x:sGZUhTgsMAoCGagxx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • \??\c:\users\admin\appdata\local\temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 
      c:\users\admin\appdata\local\temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      PID:2416
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3440
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4996
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4876
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1376
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3472
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2196
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4132
    • \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3504

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2025-07-03_07db9ac75e149b7f06fe2ecb428844bb_amadey_elex_smoke-loader_stop_swisyn.exe 

          Filesize

          1016KB

          MD5

          489c0f5b5966f14f43a52a5860489a14

          SHA1

          ccd2de35d4ddc416347b5ddce0f809b7cda1d165

          SHA256

          9d24373fac83e14571ef0f9f4f2083ca137f16039058b8dd80535b38e7db1974

          SHA512

          6a31c1c7a9232cf6fdfcbd777eb48b9a8d84eb9c69f39ef7c269dd8a8483756f4ddcae5c8478b100d165bfae9bf024396cd21aba77f996826cea4913f382f024

        • C:\Users\Public\Documents\Baidu\Common\I18N\conf.db

          Filesize

          403B

          MD5

          33039bae56792bcc6c5bfefaab4002ee

          SHA1

          428af59f494f19f23b19388fcb8fefd9491e301f

          SHA256

          b84a26fc26b1803f4a1b52f606c7a2fa4e15172c02a0e6333694b1377a56caf0

          SHA512

          4e7beb9794c164474caad667819cf8be7247e512be51449f419da7561a908caef21edecb16683f629f5a50c2cd6fcddf996a48ab46470da65ace98a2a193f8f0

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          135KB

          MD5

          e7ece1f9d048decafe4d33509e23d1da

          SHA1

          2eac31d35eda722f281757405b26bf09da09f70d

          SHA256

          b30b634376d91174dc5a97d49a6d3e94994b85f4a24b8c9d8b960c9fb66a5b0c

          SHA512

          efc9ba2cdfe6facb9499514cb64422c5fe436f16cec70fc8aea7503428668f7f383f2d75d5f87c2b1425056b61df6151f237406d32543b742933a8966cb85635

        • C:\Windows\Resources\Themes\icsys.icn.exe

          Filesize

          135KB

          MD5

          e53e7c00ebc9c91f8e438d3e5f972405

          SHA1

          89f45635f5369adcb0fac8dcdfecc08f496bbf04

          SHA256

          3bce5366a0b06f4078417ae88f9efe71293ac18623749387058776dc3944cc78

          SHA512

          f5c47d3057c313bf2ce72de3cb252bce04b5b46bdce92b9c35245605fe677ca89dad2cb6d2f47017d80e597f760cd6f2c308a0ee276e076c0f1dd6cc6d930e41

        • C:\Windows\Resources\svchost.exe

          Filesize

          135KB

          MD5

          f643f9525d3babeb5cbbc05ccafdc7f9

          SHA1

          8e88b63d9557a40ccb40ce338d78c0c6f0033bb6

          SHA256

          17b49f0672ed8490dc38c26fddfddd2355bdc6ae29974a08d3b4c295ab35815d

          SHA512

          5c43bb57d267279276cca9abcf8b0d6534d89b5d12416f2d09f0f63e5681f247e4a0f94fb27c33daaf76c61e1ccb24e8f963d67f7ab273bf46a0d26e09d9e975

        • \??\c:\windows\resources\spoolsv.exe

          Filesize

          135KB

          MD5

          a4ddb5cafab9c3681d9f7db9e55749a2

          SHA1

          4ce490c50ac18290ea1a9700964905ee3d780efe

          SHA256

          4cc2a79704cb68f55272995bab8b35546caf41ec9b4461aa2c575ebe8b4014d5

          SHA512

          7caf04d807b47fe2770f4740613bca46ddba181b37c93100d52a535f6d3399e2d1cb301c8b9a38aff80ca4025b6e42e399382d047033c5b145aca2cd09582277

        • memory/1376-61-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2196-74-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2416-18-0x00000000013A0000-0x00000000013A1000-memory.dmp

          Filesize

          4KB

        • memory/2708-76-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3440-63-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3440-28-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3504-70-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4708-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4708-64-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4876-77-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4996-62-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4996-47-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB