Analysis Overview
SHA256
1197f99c0b319efb603d7b490a633af12462bb42fae2989b9208ba26e2b39d76
Threat Level: Known bad
The file 2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop was found to be: Known bad.
Malicious Activity Summary
Neshta family
Detect Neshta payload
Neshta
Executes dropped EXE
Modifies system executable filetype association
Reads user/profile data of web browsers
Checks computer location settings
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 06:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 06:23
Reported
2025-07-01 06:25
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
146s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Neshta family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/3216-0-0x0000000000400000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-07-01_1c21dbc3aa0864488303168e24db8ba7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
| MD5 | 0657e06b0a5ca2bc285d481d37073885 |
| SHA1 | 240277dac9cc16c654f7037ee0d318c6b160f09a |
| SHA256 | b75675a3ce734f1530814b764623a0682710f0ac8d2c8fa3ce32a84b32e129a5 |
| SHA512 | 59804cc48f26f23d22d30bc036ddf1f78281c1b5f3629723babc299c66f907d90eb6d9910106d11f0b624348780912f632e257ae7102418f0c60bac1679c4f92 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 57c043c9a246261b1dedbdefdbcddc56 |
| SHA1 | 9c9461a01a7546781107d1675c72988f69d47378 |
| SHA256 | 1f74fb4cc77bd7546d08989c34536279a815f0622cfcad2c0401e5f80d6c2ab5 |
| SHA512 | 8b39aceaa8d2116c9ff236dc248da9f784ecd77efbabd44b02cd4b4b2c193383aa30afa747c28b7faa38264f20da26a753452d18619db23d71724995827afdc8 |
memory/3216-131-0x0000000000400000-0x000000000102C000-memory.dmp
memory/3216-132-0x0000000000400000-0x000000000102C000-memory.dmp
memory/3216-133-0x0000000000400000-0x000000000102C000-memory.dmp
memory/3216-135-0x0000000000400000-0x000000000102C000-memory.dmp