Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
Resource
win11-20250610-en
General
-
Target
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
-
Size
368KB
-
MD5
d1d467f957fb112f8d7b919f352179a4
-
SHA1
140920c0c65867d96d462630488601776ae18260
-
SHA256
66eecf0cc3f1f10afdb8b2aae855a0bfba0f47dfa1c354d61609614677539270
-
SHA512
f804f23fdb381df9c5ae6dc1f32137f71cdca0bbbb2fc4aec2ce88b933711b738b5612c229af26261abf9b1c2ff93365cf78354aadea1874169655bc702a5df0
-
SSDEEP
6144:sPxbrqwifQDmSAmTTIJ9YY10Abb/Sr2Txj72zltNla40Oq:sZ3HprNTTA1dbDRXQQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe -
System Binary Proxy Execution: Rundll32 1 TTPs 2 IoCs
Abuse Rundll32 to proxy execution of malicious code.
pid Process 3920 cmd.exe 4100 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\BB40JF~1.EXE" backgroundTaskHost.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod backgroundTaskHost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4536 set thread context of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3604 4536 WerFault.exe 84 4872 4536 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backgroundTaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe 4904 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 4536 wrote to memory of 4904 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 102 PID 3920 wrote to memory of 4100 3920 cmd.exe 105 PID 3920 wrote to memory of 4100 3920 cmd.exe 105 PID 4536 wrote to memory of 1156 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 106 PID 4536 wrote to memory of 1156 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 106 PID 4536 wrote to memory of 1156 4536 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 106 PID 1156 wrote to memory of 404 1156 cmd.exe 112 PID 1156 wrote to memory of 404 1156 cmd.exe 112 PID 1156 wrote to memory of 404 1156 cmd.exe 112 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 404 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\backgroundTaskHost.exe"backgroundTaskHost.exe"2⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cbkAC2F.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 18922⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 18082⤵
- Program crash
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\BB40JF~1.EXE1⤵
- System Binary Proxy Execution: Rundll32
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\system32\rundll32.exerundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\BB40JF~1.EXE2⤵
- Checks computer location settings
- System Binary Proxy Execution: Rundll32
PID:4100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 45361⤵PID:3500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4536 -ip 45361⤵PID:3624
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1System Binary Proxy Execution
1Rundll32
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD55b8abe944f40f709073958ec2d27cdbd
SHA1d7541161489736c2226ecf20c913d36cca68a5d2
SHA2562e630fcefe098c4b9a51614d21bdb941fb728cfc93fcab008a46f550849cca6c
SHA512f0a405f45ec4c07fcfffbf5f68444e082ebde62de66ccad9f24e0284add292250e517f0bedbc2411bb2d6f275e91dbf1d0115e7fe40d82b574579c610579a7d5
-
Filesize
29B
MD5c532d94f86a9943fe0581e6aa06a7b43
SHA1185af6b1eaa5eb1821596ac720f2842dc148162f
SHA256d4082b14b44ff3c73811a3e8577dcd9c5af72cfd1a55b609684253a51cb7b8f4
SHA512e631df6229718c3162afa89aad952bf8a1bac87d913c36eb4b5cf7345c6c934c34b74a86adb95285b933d29ef5e2d7d677f3b78680e8aa985e39bc688591cca2
-
Filesize
59B
MD54aaadb8274333377662df7a6e844333d
SHA13f06b501e51b4e0c12947d7d70b5973584e8506d
SHA256f0c092a72d9958b28d646f485c8ce5a138a45748daae1a55fa5a8e041b5aaa7d
SHA512348ad7cb9195e91e443acbbca0eb2715436514950247be4048738c1d0eba05364b7e809ee875da671d423c60ee2a6c3dff751fd8b54934ab2380a6474f2f6d37