Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
Resource
win11-20250610-en
General
-
Target
2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
-
Size
368KB
-
MD5
d1d467f957fb112f8d7b919f352179a4
-
SHA1
140920c0c65867d96d462630488601776ae18260
-
SHA256
66eecf0cc3f1f10afdb8b2aae855a0bfba0f47dfa1c354d61609614677539270
-
SHA512
f804f23fdb381df9c5ae6dc1f32137f71cdca0bbbb2fc4aec2ce88b933711b738b5612c229af26261abf9b1c2ff93365cf78354aadea1874169655bc702a5df0
-
SSDEEP
6144:sPxbrqwifQDmSAmTTIJ9YY10Abb/Sr2Txj72zltNla40Oq:sZ3HprNTTA1dbDRXQQ
Malware Config
Signatures
-
System Binary Proxy Execution: Rundll32 1 TTPs 2 IoCs
Abuse Rundll32 to proxy execution of malicious code.
pid Process 3820 cmd.exe 5800 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\D00840~1.EXE" backgroundTaskHost.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod backgroundTaskHost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2692 set thread context of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5716 2692 WerFault.exe 81 1368 2692 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe 5160 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 2692 wrote to memory of 5160 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 84 PID 3820 wrote to memory of 5800 3820 cmd.exe 87 PID 3820 wrote to memory of 5800 3820 cmd.exe 87 PID 2692 wrote to memory of 4980 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 88 PID 2692 wrote to memory of 4980 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 88 PID 2692 wrote to memory of 4980 2692 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe 88 PID 4980 wrote to memory of 5740 4980 cmd.exe 92 PID 4980 wrote to memory of 5740 4980 cmd.exe 92 PID 4980 wrote to memory of 5740 4980 cmd.exe 92 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\backgroundTaskHost.exe"backgroundTaskHost.exe"2⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\jqrB870.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5740
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 21442⤵
- Program crash
PID:5716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 18802⤵
- Program crash
PID:1368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\D00840~1.EXE1⤵
- System Binary Proxy Execution: Rundll32
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\rundll32.exerundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\D00840~1.EXE2⤵
- System Binary Proxy Execution: Rundll32
PID:5800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2692 -ip 26921⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2692 -ip 26921⤵PID:1760
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1System Binary Proxy Execution
1Rundll32
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5aa8f235ce46bc72123b7539d1d77fbb0
SHA1d6579f19b10f713e2cafe414f6808f9b0664e3f1
SHA2565495466879c83c95a8d5cff6984c376ac6009a54cd5f222bc8a053987de66003
SHA512beafaa9be9c97cce71b9365d6167751b6b9aeb7872de41c7c8b27ba7fec29b597a582adbec505f2ac8b94f256c1ff81eaca4995773459e7bd9635ee5a93d17ef
-
Filesize
29B
MD5f21f97f8a2d4cd877b40ddf0bc4b8cc2
SHA14b11df3f04e5c2f24f929b9192af578b2b117006
SHA256e856608ef568a51502199320facd20e203ad8c73fe9653e37116ba9e6526ada2
SHA512e53c61d788b76e352fbd823031915fd7861efcb976ee804d895465f116f49a0ef1d2fe2832033f82599ac119be1dd17c9e8f6b06f2505cb99d46e176b21050b6
-
Filesize
53B
MD5e02ad012d25f1f7bffb7d00fe94dcb7c
SHA1c7b6a2804c49f3aae77adc365d8a46f23fbc270c
SHA2566b3eca04842e04df63ec2196bfae0af76d47240a2cbf540a8e4339c55f1200f8
SHA512aaf9b5bd3d0c9932490c79d99eedd8a9f62e479c8db30cb2606a1e4b8aed4dd22cb2ec999fa3e9a68c818f564cf64f97559469ff00b82e7561d83e001e40d5f5