Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:54

General

  • Target

    2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe

  • Size

    155KB

  • MD5

    7c9bbe4dc6c13b1011d03583e361f57d

  • SHA1

    924b38c9d45c3e619fa5a889816248199878e31a

  • SHA256

    9e4a18b51d41725a42a06855fc62f0cba92f4347f41c377061d5cb00b8cbc130

  • SHA512

    57d7088b213b969d19256d3c215523fd5a3f1192a2cbbb23e27f24aa17c8e288d262615d657822ec2c7c716d7cd0627e2afe27cf25bd8d5d0a8194af4a10cc79

  • SSDEEP

    3072:e79l86WqGzIfjZAVPXwu7xXIeoutyR9QXh1aQj:erzW/zeZqPpOeoSyQXh0Qj

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\ProgramData\AhnLab\AhnSvc.exe
      "C:\ProgramData\AhnLab\AhnSvc.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2416
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\ProgramData\AhnLab\AhnSvc.exe" /run
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\ProgramData\AhnLab\AhnSvc.exe
      C:\ProgramData\AhnLab\AhnSvc.exe /run
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1144

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AhnLab\AhnSvc.exe

          Filesize

          155KB

          MD5

          3f91c712799166d585d365b1dc8724d7

          SHA1

          f5397c765300a5bf638dca3690a61a0a828e1646

          SHA256

          a40c61965a0d11311694d7f3c43521f829c9822ea69d1f8cb313c2f02f51526c

          SHA512

          7fa2e59d5bf360699fe7cfd80ff7583505f9f7533670ba15bc7c4d77e49bea5212e83b5da583afa08409210392801e9970668083bfccc96aebb2bfb977b53429

        • C:\ProgramData\AhnLab\AhnSvc.exe

          Filesize

          155KB

          MD5

          e4ebb3b16eb19f276029dfe12844e121

          SHA1

          44bff03e17510d77f554df310b83053252dc526a

          SHA256

          6de30dd6d58827142e452a8ae1a6bcb4b32293645580775cc1eedbb611ceeee2

          SHA512

          248d3028a191d214649028b717c2d75af4cda953ab668aed448b8adcffa1fd388221032251368ee6b8243a40a48119d4397cad9a33e0a614d364ba94c3a19485

        • memory/1144-10-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

        • memory/1144-15-0x00000000005D0000-0x00000000005FA000-memory.dmp

          Filesize

          168KB

        • memory/2120-5-0x00000000004E0000-0x000000000050A000-memory.dmp

          Filesize

          168KB

        • memory/2120-13-0x00000000004E0000-0x000000000050A000-memory.dmp

          Filesize

          168KB

        • memory/2120-14-0x00000000004E0000-0x000000000050A000-memory.dmp

          Filesize

          168KB

        • memory/3768-0-0x00000000003D0000-0x00000000003FA000-memory.dmp

          Filesize

          168KB

        • memory/3768-12-0x00000000003D0000-0x00000000003FA000-memory.dmp

          Filesize

          168KB