Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe
-
Size
61KB
-
MD5
1d4361bcd7304537a6861c9605257750
-
SHA1
3f13d9dc64c9dc019b0a12bb2660f7295ecf1f2c
-
SHA256
c984255885ef050929570c35651a271490db8d40febd38c8af4f12483c67869b
-
SHA512
e2fb8e3a80c41dbc274ca1a412ae1eead5ca7f2c388c95392a38e6efecbf3c4e8eef562019faf2ca67aa9eb11e673acdd9b715b8c0861f7b295973381c0b57ba
-
SSDEEP
1536:CO6skYL5TDbCY7fjPpm7GVOFAwfURlXa:3kw517fjPQiwfMlXa
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1660 aa64f6.exe 3448 guftbf3zfj.exe 1080 aa64f6.exe 4480 guftbf3zfj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3sx13d1q3t = "C:\\Users\\Admin\\AppData\\Roaming\\aa64f6.exe" 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3x8wr4m = "C:\\Users\\Admin\\AppData\\Roaming\\guftbf3zfj.exe" aa64f6.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa64f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guftbf3zfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa64f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guftbf3zfj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2796 wrote to memory of 1660 2796 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe 86 PID 2796 wrote to memory of 1660 2796 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe 86 PID 2796 wrote to memory of 1660 2796 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe 86 PID 1660 wrote to memory of 3448 1660 aa64f6.exe 89 PID 1660 wrote to memory of 3448 1660 aa64f6.exe 89 PID 1660 wrote to memory of 3448 1660 aa64f6.exe 89 PID 1576 wrote to memory of 1080 1576 cmd.exe 92 PID 1576 wrote to memory of 1080 1576 cmd.exe 92 PID 1576 wrote to memory of 1080 1576 cmd.exe 92 PID 436 wrote to memory of 4480 436 cmd.exe 93 PID 436 wrote to memory of 4480 436 cmd.exe 93 PID 436 wrote to memory of 4480 436 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\aa64f6.exeC:\Users\Admin\AppData\Roaming\aa64f6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exeC:\Users\Admin\AppData\Roaming\guftbf3zfj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\aa64f6.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Roaming\aa64f6.exeC:\Users\Admin\AppData\Roaming\aa64f6.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe1⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exeC:\Users\Admin\AppData\Roaming\guftbf3zfj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD56de981925e53727f2201283565e6e0d4
SHA19ae6fea487a6a99c15c3f11f7e0c2f632884f83c
SHA256312fdca42a95c142267063e9b8c5caa38778b6a2f72db496c7402e0a477e4790
SHA51270b8cef170a1fc1779dbda03a1bf664253c4e63bfa56d25d938fe384e5d0563da6dbab63389f22d6deb2e67b4734d1b076787ce3012e1cb0436945719a95859d
-
Filesize
61KB
MD5f91b9ed0a230d34659c9f55e85227e73
SHA1439a0d9f2b83e9211302cb079cf272ad6da1f921
SHA256cf308d150231760b2b0d88f6f5d5b77c4bd304ec33a9ea25884f9bde5844377a
SHA5127da1e3033921d000ed3c104c8f95393e33343e53791ff5bb27bb9119e56e0d96b0cbcd821f7af4a2b3efc8a85f2fceaf94211489012aa8c0e84e6db2ca9409ae