Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:54
Behavioral task
behavioral1
Sample
2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
155KB
-
MD5
7c9bbe4dc6c13b1011d03583e361f57d
-
SHA1
924b38c9d45c3e619fa5a889816248199878e31a
-
SHA256
9e4a18b51d41725a42a06855fc62f0cba92f4347f41c377061d5cb00b8cbc130
-
SHA512
57d7088b213b969d19256d3c215523fd5a3f1192a2cbbb23e27f24aa17c8e288d262615d657822ec2c7c716d7cd0627e2afe27cf25bd8d5d0a8194af4a10cc79
-
SSDEEP
3072:e79l86WqGzIfjZAVPXwu7xXIeoutyR9QXh1aQj:erzW/zeZqPpOeoSyQXh0Qj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\Control Panel\International\Geo\Nation 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 AhnSvc.exe 1144 AhnSvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral1/memory/3768-0-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/files/0x00090000000240d2-3.dat upx behavioral1/memory/2120-5-0x00000000004E0000-0x000000000050A000-memory.dmp upx behavioral1/files/0x00070000000240d6-9.dat upx behavioral1/memory/1144-10-0x00000000005D0000-0x00000000005FA000-memory.dmp upx behavioral1/memory/3768-12-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2120-13-0x00000000004E0000-0x000000000050A000-memory.dmp upx behavioral1/memory/2120-14-0x00000000004E0000-0x000000000050A000-memory.dmp upx behavioral1/memory/1144-15-0x00000000005D0000-0x00000000005FA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AhnSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe Token: SeDebugPrivilege 2120 AhnSvc.exe Token: SeDebugPrivilege 1144 AhnSvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3768 wrote to memory of 2120 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 3768 wrote to memory of 2120 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 3768 wrote to memory of 2120 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 89 PID 4980 wrote to memory of 1144 4980 cmd.exe 90 PID 4980 wrote to memory of 1144 4980 cmd.exe 90 PID 4980 wrote to memory of 1144 4980 cmd.exe 90 PID 3768 wrote to memory of 2416 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 92 PID 3768 wrote to memory of 2416 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 92 PID 3768 wrote to memory of 2416 3768 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\ProgramData\AhnLab\AhnSvc.exe"C:\ProgramData\AhnLab\AhnSvc.exe" /run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe" >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\AhnLab\AhnSvc.exe" /run1⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\ProgramData\AhnLab\AhnSvc.exeC:\ProgramData\AhnLab\AhnSvc.exe /run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD53f91c712799166d585d365b1dc8724d7
SHA1f5397c765300a5bf638dca3690a61a0a828e1646
SHA256a40c61965a0d11311694d7f3c43521f829c9822ea69d1f8cb313c2f02f51526c
SHA5127fa2e59d5bf360699fe7cfd80ff7583505f9f7533670ba15bc7c4d77e49bea5212e83b5da583afa08409210392801e9970668083bfccc96aebb2bfb977b53429
-
Filesize
155KB
MD5e4ebb3b16eb19f276029dfe12844e121
SHA144bff03e17510d77f554df310b83053252dc526a
SHA2566de30dd6d58827142e452a8ae1a6bcb4b32293645580775cc1eedbb611ceeee2
SHA512248d3028a191d214649028b717c2d75af4cda953ab668aed448b8adcffa1fd388221032251368ee6b8243a40a48119d4397cad9a33e0a614d364ba94c3a19485