Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gl99dafl9t
Target 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop
SHA256 9e4a18b51d41725a42a06855fc62f0cba92f4347f41c377061d5cb00b8cbc130
Tags
upx defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e4a18b51d41725a42a06855fc62f0cba92f4347f41c377061d5cb00b8cbc130

Threat Level: Shows suspicious behavior

The file 2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx defense_evasion discovery persistence

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Indicator Removal: File Deletion

UPX packed file

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250610-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AhnLab\AhnSvc.exe N/A
N/A N/A C:\ProgramData\AhnLab\AhnSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\AhnLab\AhnSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\AhnLab\AhnSvc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\AhnLab\AhnSvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 3768 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 3768 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 4980 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 4980 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 4980 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AhnLab\AhnSvc.exe
PID 3768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\ProgramData\AhnLab\AhnSvc.exe" /run

C:\ProgramData\AhnLab\AhnSvc.exe

"C:\ProgramData\AhnLab\AhnSvc.exe" /run

C:\ProgramData\AhnLab\AhnSvc.exe

C:\ProgramData\AhnLab\AhnSvc.exe /run

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c9bbe4dc6c13b1011d03583e361f57d_amadey_elex_rhadamanthys_smoke-loader_stop.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp
US 8.8.8.8:53 www.icoway.net udp
US 8.8.8.8:53 www.kimc10scom udp

Files

memory/3768-0-0x00000000003D0000-0x00000000003FA000-memory.dmp

C:\ProgramData\AhnLab\AhnSvc.exe

MD5 e4ebb3b16eb19f276029dfe12844e121
SHA1 44bff03e17510d77f554df310b83053252dc526a
SHA256 6de30dd6d58827142e452a8ae1a6bcb4b32293645580775cc1eedbb611ceeee2
SHA512 248d3028a191d214649028b717c2d75af4cda953ab668aed448b8adcffa1fd388221032251368ee6b8243a40a48119d4397cad9a33e0a614d364ba94c3a19485

memory/2120-5-0x00000000004E0000-0x000000000050A000-memory.dmp

C:\ProgramData\AhnLab\AhnSvc.exe

MD5 3f91c712799166d585d365b1dc8724d7
SHA1 f5397c765300a5bf638dca3690a61a0a828e1646
SHA256 a40c61965a0d11311694d7f3c43521f829c9822ea69d1f8cb313c2f02f51526c
SHA512 7fa2e59d5bf360699fe7cfd80ff7583505f9f7533670ba15bc7c4d77e49bea5212e83b5da583afa08409210392801e9970668083bfccc96aebb2bfb977b53429

memory/1144-10-0x00000000005D0000-0x00000000005FA000-memory.dmp

memory/3768-12-0x00000000003D0000-0x00000000003FA000-memory.dmp

memory/2120-13-0x00000000004E0000-0x000000000050A000-memory.dmp

memory/2120-14-0x00000000004E0000-0x000000000050A000-memory.dmp

memory/1144-15-0x00000000005D0000-0x00000000005FA000-memory.dmp