File name:	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader
Full analysis:	https://app.any.run/tasks/2278ef96-6d1d-4966-adac-82d3d00dec91
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 15:06:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	03AF5C4C381160615E3F0152F0DBFB7A
SHA1:	39CC79E446A63CEF50FCA06B791B2A34EC5128D6
SHA256:	BA9975D7B959933CA46C85FDE8DCFCC7E594950C4B87F05A5195C639866532FF
SSDEEP:	98304:iefUuZuKAuf5jTF0kOefUuZuKAuf5jTFrkHVrGDYwOwjefUuZuKAuf5jTFPkOefX:BD

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (63.9)
.exe	\|	Win32 Executable MS Visual C++ (generic) (24.3)
.dll	\|	Win32 Dynamic Link Library (generic) (5.1)
.exe	\|	Win32 Executable (generic) (3.5)
.exe	\|	Generic Win/DOS Executable (1.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2007:03:12 04:30:52+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	102400
InitializedDataSize:	16384
UninitializedDataSize:	-
EntryPoint:	0x27dc
OSVersion:	4
ImageVersion:	6.1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.1.0.0
ProductVersionNumber:	6.1.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
Comments:	Windows Update Manager for NT
CompanyName:	Microsoft Corporation
FileDescription:	Windows Update Manager for NT
LegalCopyright:	Copyright (C) Microsoft Corp. 1981-1999
ProductName:	Microsoft(R) Windows (R) 2000 Operating System
FileVersion:	6.01
ProductVersion:	6.01
InternalName:	INCUBUS
OriginalFileName:	INCUBUS.exe

PID	Process	Filename		Type
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe		executable
		MD5:D34A0E86096400F03520E03605151D13	SHA256:2B6E95928A5A592C95ACB4235707C47730F11A1224867C134B9F7382BBFAB478
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\ntldr~6		executable
		MD5:A96169AA3B3224C240EE44157EA03609	SHA256:88CA0A089F0A3ECE0A9537C88E86079FCA9F7A3D95D269C956A1CD7E26646C9F
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe		—
		MD5:—	SHA256:—
7800	UpdatAuto.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe		—
		MD5:—	SHA256:—
7800	UpdatAuto.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe		executable
		MD5:309AA380638DCFE5FB9EAB7C6C6E15EF	SHA256:198B6818F00D97B4D2E2B1F3C703AAD21A45632A8E2F64B78435EE94B07F3989
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\Users\admin\Desktop\2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe		executable
		MD5:BAEDE5E132F93DC1924680C9BB406BA9	SHA256:5ED8881E4E0008D53E6F86232BE898A2D7A165EF351D78F3F98A8DDF40538D71
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\ntldr~8		executable
		MD5:A96169AA3B3224C240EE44157EA03609	SHA256:88CA0A089F0A3ECE0A9537C88E86079FCA9F7A3D95D269C956A1CD7E26646C9F
7800	UpdatAuto.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe		executable
		MD5:6B313D78B367E206A9D2C969813F3BF5	SHA256:199385D33D53F5143438182D569D11B6F4FF4BDB1CC3D8363B62F76FC99CF469
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\Windows\SysWOW64\UpdatAuto.exe		executable
		MD5:A96169AA3B3224C240EE44157EA03609	SHA256:88CA0A089F0A3ECE0A9537C88E86079FCA9F7A3D95D269C956A1CD7E26646C9F
7692	2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe	C:\Windows\SysWOW64\Option.bat		text
		MD5:1D04ABF39E9DF55EED1D04430CC21EB8	SHA256:0BC485263CF8A962E64DB0B88F156F2A9AF1B81ECFDB1CF9111D497E85DF70F3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2920	svchost.exe	GET	200	23.48.23.144:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5084	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2920	svchost.exe	23.48.23.144:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4464	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
crl.microsoft.com	23.48.23.144 23.48.23.151 23.48.23.147 23.48.23.154 23.48.23.155 23.48.23.153 23.48.23.161 23.48.23.139 23.48.23.156	whitelisted

General Info

2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader

03AF5C4C381160615E3F0152F0DBFB7A

39CC79E446A63CEF50FCA06B791B2A34EC5128D6

BA9975D7B959933CA46C85FDE8DCFCC7E594950C4B87F05A5195C639866532FF

98304:iefUuZuKAuf5jTF0kOefUuZuKAuf5jTFrkHVrGDYwOwjefUuZuKAuf5jTFPkOefX:BD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Starts NET.EXE for service management

Uses NET.EXE to stop Windows Update service

Starts NET.EXE to view/add/change user profiles

Uses NET.EXE to stop Windows Security Center service

Starts NET.EXE to view/change users localgroup

SUSPICIOUS

Starts a Microsoft application from unusual location

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts itself from another location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Windows service management via SC.EXE

Creates file in the systems drive root

INFO

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Reads the computer name

Creates files in the program directory

The sample compiled with chinese language support

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings