Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:24

General

  • Target

    2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe

  • Size

    61KB

  • MD5

    1d4361bcd7304537a6861c9605257750

  • SHA1

    3f13d9dc64c9dc019b0a12bb2660f7295ecf1f2c

  • SHA256

    c984255885ef050929570c35651a271490db8d40febd38c8af4f12483c67869b

  • SHA512

    e2fb8e3a80c41dbc274ca1a412ae1eead5ca7f2c388c95392a38e6efecbf3c4e8eef562019faf2ca67aa9eb11e673acdd9b715b8c0861f7b295973381c0b57ba

  • SSDEEP

    1536:CO6skYL5TDbCY7fjPpm7GVOFAwfURlXa:3kw517fjPQiwfMlXa

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Roaming\aa64f6.exe
      C:\Users\Admin\AppData\Roaming\aa64f6.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
        C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3448
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\aa64f6.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Roaming\aa64f6.exe
      C:\Users\Admin\AppData\Roaming\aa64f6.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1080
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
      C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4480

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\aa64f6.exe

          Filesize

          61KB

          MD5

          6de981925e53727f2201283565e6e0d4

          SHA1

          9ae6fea487a6a99c15c3f11f7e0c2f632884f83c

          SHA256

          312fdca42a95c142267063e9b8c5caa38778b6a2f72db496c7402e0a477e4790

          SHA512

          70b8cef170a1fc1779dbda03a1bf664253c4e63bfa56d25d938fe384e5d0563da6dbab63389f22d6deb2e67b4734d1b076787ce3012e1cb0436945719a95859d

        • C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

          Filesize

          61KB

          MD5

          f91b9ed0a230d34659c9f55e85227e73

          SHA1

          439a0d9f2b83e9211302cb079cf272ad6da1f921

          SHA256

          cf308d150231760b2b0d88f6f5d5b77c4bd304ec33a9ea25884f9bde5844377a

          SHA512

          7da1e3033921d000ed3c104c8f95393e33343e53791ff5bb27bb9119e56e0d96b0cbcd821f7af4a2b3efc8a85f2fceaf94211489012aa8c0e84e6db2ca9409ae