Malware Analysis Report

2025-08-05 14:36

Sample ID 250702-x4qkpagj8v
Target 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop
SHA256 c984255885ef050929570c35651a271490db8d40febd38c8af4f12483c67869b
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c984255885ef050929570c35651a271490db8d40febd38c8af4f12483c67869b

Threat Level: Shows suspicious behavior

The file 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:24

Reported

2025-07-02 19:27

Platform

win10v2004-20250610-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3sx13d1q3t = "C:\\Users\\Admin\\AppData\\Roaming\\aa64f6.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3x8wr4m = "C:\\Users\\Admin\\AppData\\Roaming\\guftbf3zfj.exe" C:\Users\Admin\AppData\Roaming\aa64f6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aa64f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aa64f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 2796 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 2796 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 1660 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\aa64f6.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
PID 1660 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\aa64f6.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
PID 1660 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\aa64f6.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
PID 1576 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 1576 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 1576 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\aa64f6.exe
PID 436 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
PID 436 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
PID 436 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"

C:\Users\Admin\AppData\Roaming\aa64f6.exe

C:\Users\Admin\AppData\Roaming\aa64f6.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\aa64f6.exe

C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

C:\Users\Admin\AppData\Roaming\aa64f6.exe

C:\Users\Admin\AppData\Roaming\aa64f6.exe

C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gysopui.net udp
US 8.8.8.8:53 gysopui.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 gysopui.net udp
US 8.8.8.8:53 gysopui.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 52.27.79.221:80 ow5dirasuek.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 gysopui.net udp

Files

C:\Users\Admin\AppData\Roaming\aa64f6.exe

MD5 6de981925e53727f2201283565e6e0d4
SHA1 9ae6fea487a6a99c15c3f11f7e0c2f632884f83c
SHA256 312fdca42a95c142267063e9b8c5caa38778b6a2f72db496c7402e0a477e4790
SHA512 70b8cef170a1fc1779dbda03a1bf664253c4e63bfa56d25d938fe384e5d0563da6dbab63389f22d6deb2e67b4734d1b076787ce3012e1cb0436945719a95859d

C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe

MD5 f91b9ed0a230d34659c9f55e85227e73
SHA1 439a0d9f2b83e9211302cb079cf272ad6da1f921
SHA256 cf308d150231760b2b0d88f6f5d5b77c4bd304ec33a9ea25884f9bde5844377a
SHA512 7da1e3033921d000ed3c104c8f95393e33343e53791ff5bb27bb9119e56e0d96b0cbcd821f7af4a2b3efc8a85f2fceaf94211489012aa8c0e84e6db2ca9409ae