Analysis Overview
SHA256
1c029938dbe46a6f56e6bfdf7ac191e67d19ee3f9863b8e522fe64439dbba771
Threat Level: Shows suspicious behavior
The file 2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:19
Reported
2025-07-04 12:22
Platform
win10v2004-20250619-en
Max time kernel
106s
Max time network
134s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5304-0-0x0000000010000000-0x0000000010123000-memory.dmp
memory/5304-5-0x0000000010000000-0x0000000010123000-memory.dmp
memory/5304-6-0x0000000010000000-0x0000000010123000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:19
Reported
2025-07-04 12:22
Platform
win11-20250619-en
Max time kernel
100s
Max time network
104s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5256 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5256 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5256 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\953.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
Files
memory/5256-0-0x0000000010000000-0x0000000010123000-memory.dmp
memory/5256-5-0x0000000010000000-0x0000000010123000-memory.dmp
memory/5256-6-0x0000000010000000-0x0000000010123000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\953.bat
| MD5 | 69d6d5d66d75c9877e208f62a32ba07b |
| SHA1 | 2898a7a81b327338d7bbd09c694f35798160d4e6 |
| SHA256 | 1ec5a0cc76ee138e28e663d1f9ca7fa83bb5297806e3928fb5ad1915c309de80 |
| SHA512 | e0c9da1421007a8b10bdba52cd2feaf9cc8e4073b381d1eca6591ff1dacebb9694dd497229040d532a3382f8c3e92879d2f8f406e266393663b16383d75ad940 |
C:\Users\Admin\AppData\Local\Temp\313312.exe
| MD5 | ee0f20b4e41843f9790e2375ddfd5353 |
| SHA1 | 452c1cfce69e9dbefd34e8c671f4ac6b1d5c3222 |
| SHA256 | 1c029938dbe46a6f56e6bfdf7ac191e67d19ee3f9863b8e522fe64439dbba771 |
| SHA512 | a9a65672d8a8773333664c49d389244410207e518c5317eb75be8fcfbc16014c61640966bbf67ff1e072e006fa63362fdf584b7025cfaad25606a55046a558eb |