Analysis Overview
SHA256
9e4a18b51d41725a42a06855fc62f0cba92f4347f41c377061d5cb00b8cbc130
Threat Level: Shows suspicious behavior
The file 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Indicator Removal: File Deletion
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-03 05:54
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-03 05:54
Reported
2025-07-03 05:57
Platform
win10v2004-20250610-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AhnLab\AhnSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AhnLab\AhnSvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\AhnLab\AhnSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AhnLab\AhnSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AhnLab\AhnSvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\AhnLab\AhnSvc.exe" /run
C:\ProgramData\AhnLab\AhnSvc.exe
"C:\ProgramData\AhnLab\AhnSvc.exe" /run
C:\ProgramData\AhnLab\AhnSvc.exe
C:\ProgramData\AhnLab\AhnSvc.exe /run
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
| US | 8.8.8.8:53 | www.icoway.net | udp |
| US | 8.8.8.8:53 | www.kimc10scom | udp |
Files
memory/3768-0-0x00000000003D0000-0x00000000003FA000-memory.dmp
C:\ProgramData\AhnLab\AhnSvc.exe
| MD5 | e4ebb3b16eb19f276029dfe12844e121 |
| SHA1 | 44bff03e17510d77f554df310b83053252dc526a |
| SHA256 | 6de30dd6d58827142e452a8ae1a6bcb4b32293645580775cc1eedbb611ceeee2 |
| SHA512 | 248d3028a191d214649028b717c2d75af4cda953ab668aed448b8adcffa1fd388221032251368ee6b8243a40a48119d4397cad9a33e0a614d364ba94c3a19485 |
memory/2120-5-0x00000000004E0000-0x000000000050A000-memory.dmp
C:\ProgramData\AhnLab\AhnSvc.exe
| MD5 | 3f91c712799166d585d365b1dc8724d7 |
| SHA1 | f5397c765300a5bf638dca3690a61a0a828e1646 |
| SHA256 | a40c61965a0d11311694d7f3c43521f829c9822ea69d1f8cb313c2f02f51526c |
| SHA512 | 7fa2e59d5bf360699fe7cfd80ff7583505f9f7533670ba15bc7c4d77e49bea5212e83b5da583afa08409210392801e9970668083bfccc96aebb2bfb977b53429 |
memory/1144-10-0x00000000005D0000-0x00000000005FA000-memory.dmp
memory/3768-12-0x00000000003D0000-0x00000000003FA000-memory.dmp
memory/2120-13-0x00000000004E0000-0x000000000050A000-memory.dmp
memory/2120-14-0x00000000004E0000-0x000000000050A000-memory.dmp
memory/1144-15-0x00000000005D0000-0x00000000005FA000-memory.dmp