| File name: | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader |
| Full analysis: | https://app.any.run/tasks/5a3480ba-85c8-4954-915f-7cbb68c2491e |
| Verdict: | Malicious activity |
| Analysis date: | March 25, 2025, 03:52:07 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections |
| MD5: | 4B1A0D1EBC9698300741114434B8F09B |
| SHA1: | D3E8D24C3E02B81F6A7D1B08F8AF21ABC888321A |
| SHA256: | 4EBD649D7AD423A966882750490FEA1ABEC3FD2A458E8EFBCF7C147A499D3D72 |
| SSDEEP: | 98304:iefUuZuKAuf5jTFGkOefUuZuKAuf5jTFziy9/W10abzzpQXPJP0jjiGHaGx/LOLg:uySbzzdr0ijelYJ |
MALICIOUS
Executing a file with an untrusted certificate
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7724)
Starts NET.EXE for service management
- cmd.exe (PID: 7796)
- net.exe (PID: 6808)
- cmd.exe (PID: 7788)
- cmd.exe (PID: 7844)
- cmd.exe (PID: 7828)
- net.exe (PID: 1272)
- net.exe (PID: 1348)
- net.exe (PID: 6040)
- cmd.exe (PID: 7804)
- net.exe (PID: 5380)
Starts NET.EXE to view/change users localgroup
- cmd.exe (PID: 7872)
- net.exe (PID: 3176)
Uses NET.EXE to stop Windows Update service
- cmd.exe (PID: 7796)
- net.exe (PID: 6040)
Starts NET.EXE to view/add/change user profiles
- net.exe (PID: 5352)
- cmd.exe (PID: 7860)
Uses NET.EXE to stop Windows Security Center service
- cmd.exe (PID: 7804)
- net.exe (PID: 5380)
SUSPICIOUS
Starts a Microsoft application from unusual location
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7432)
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
Executing commands from a ".bat" file
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
Process drops legitimate windows executable
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
Starts itself from another location
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
Creates file in the systems drive root
- UpdatAuto.exe (PID: 7656)
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
Executable content was dropped or overwritten
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
Starts CMD.EXE for commands execution
- UpdatAuto.exe (PID: 7656)
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
Windows service management via SC.EXE
- sc.exe (PID: 7900)
- sc.exe (PID: 7944)
- sc.exe (PID: 7968)
- sc.exe (PID: 7924)
- sc.exe (PID: 7988)
INFO
The sample compiled with chinese language support
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
Checks supported languages
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7724)
Create files in a temporary directory
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
- UpdatAuto.exe (PID: 7656)
Creates files in the program directory
- UpdatAuto.exe (PID: 7656)
- 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7528)
Reads the computer name
- UpdatAuto.exe (PID: 7656)
Checks proxy server information
- slui.exe (PID: 1196)
Reads the software policy settings
- slui.exe (PID: 1196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (33.5) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (12.7) |
| .dll | | | Win32 Dynamic Link Library (generic) (2.6) |
| .exe | | | Win32 Executable (generic) (1.8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2007:03:12 04:30:52+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 102400 |
| InitializedDataSize: | 16384 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x27dc |
| OSVersion: | 4 |
| ImageVersion: | 6.1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.1.0.0 |
| ProductVersionNumber: | 6.1.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| Comments: | Windows Update Manager for NT |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Windows Update Manager for NT |
| LegalCopyright: | Copyright (C) Microsoft Corp. 1981-1999 |
| ProductName: | Microsoft(R) Windows (R) 2000 Operating System |
| FileVersion: | 6.01 |
| ProductVersion: | 6.01 |
| InternalName: | INCUBUS |
| OriginalFileName: | INCUBUS.exe |
Total processes
167
Monitored processes
48
Malicious processes
4
Suspicious processes
7
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 904 | C:\WINDOWS\system32\net1 stop wscsvc | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1196 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1272 | net start TlntSvr | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1348 | net stop srservice | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2432 | C:\WINDOWS\system32\net1 localgroup administrators helpassistant /add | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3156 | C:\WINDOWS\system32\net1 start TlntSvr | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3176 | net localgroup administrators helpassistant /add | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5352 | net user helpassistant 123456 | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5380 | net stop wscsvc | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6040 | net stop wuauserv | C:\Windows\SysWOW64\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 977
Read events
3 977
Write events
0
Delete events
0
Modification events
Executable files
19
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\Windows\SysWOW64\Option.bat | text | |
MD5:1D04ABF39E9DF55EED1D04430CC21EB8 | SHA256:0BC485263CF8A962E64DB0B88F156F2A9AF1B81ECFDB1CF9111D497E85DF70F3 | |||
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe | — | |
MD5:— | SHA256:— | |||
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe | — | |
MD5:— | SHA256:— | |||
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe | — | |
MD5:— | SHA256:— | |||
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | executable | |
MD5:7D18BB59C7D1A3AE740A32F2CA40C8B2 | SHA256:770B73C968FBD021642C5A777F94E77A56EDD5A96607139A588737E3D53AB81D | |||
| 7656 | UpdatAuto.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe | executable | |
MD5:92881296C33658E908A4D6DE8DA947DB | SHA256:23C3B7B6523F407FB9F995067619620C2911AAD6F01D71FDD4E2C2FA38B733EF | |||
| 7656 | UpdatAuto.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe | executable | |
MD5:E570C976FD2FFC673A95751735F43FDF | SHA256:33730FC6E3DE5093CC37012F77240DB1908AA1E3E4E34BAF1D1EABEBD6C3D36D | |||
| 7528 | 2025-03-25_4b1a0d1ebc9698300741114434b8f09b_hijackloader_remcos_rhadamanthys_smoke-loader.exe | C:\ntldr~8 | executable | |
MD5:7BA125F12E8FF2464E4AE9F5FA164101 | SHA256:826D84669941F4EB468634076AFEB3A3C77DB072FF5BA639A88AF15045174F30 | |||
| 7656 | UpdatAuto.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe | executable | |
MD5:6DB126FD2A8492356751E7156FE1D721 | SHA256:7879C133FF83944D881FF9CF3AA97AD26346C5A8FFD1B0E769AC6EF0E4CBE648 | |||
| 7656 | UpdatAuto.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe | executable | |
MD5:B12465BF3D6A2154487693817C2C39EB | SHA256:6AB34B2D980D39002749BC2830BC182A5B8D3C548EACB3F245A96A299B8326BE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7348 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1196 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |