Analysis

  • max time kernel
    103s
  • max time network
    108s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:06

General

  • Target

    2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe

  • Size

    1.5MB

  • MD5

    193dadf85b1787e68da6499170e2c9b0

  • SHA1

    452d0e3ddee732fd95a540200f57612e53cda2e7

  • SHA256

    2d6b7dca455f7a75e073d55663935933db803f60f636bb7ee8ed00107cbc8bdd

  • SHA512

    5da5d841c9de7ef1c6d0b7f82f2b6bba9b3a4ab2a91e37b184c3238edf03099d2af07c7afb979fecc9ad296640d9ac65147b3d01889971fb18f8b383d7fc15e2

  • SSDEEP

    24576:ht376Z3IbKp4bptWNxw4uP3ULJw9N9NI9jp4M5TYEpB2uwtNrHwF4X7Hl7aGCR4f:hF76Zba0qEu1QVd57FwDDwq7lWGPT9zt

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe
      "C:\Users\Admin\AppData\Local\Temp/7cc70bb8/kBFB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1904
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:5940

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\suorF and ukkEep\M_F.dll

          Filesize

          414KB

          MD5

          ffe3f0c62f2fede9890b18d73724fd97

          SHA1

          0dafa42039405f8d49a6790180194076bd57c833

          SHA256

          2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8

          SHA512

          84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

        • C:\Program Files (x86)\suorF and ukkEep\M_F.tlb

          Filesize

          3KB

          MD5

          8d10c52cfa044ccdcfff4e0b5775babd

          SHA1

          3b2c872ab3237d7b74377032ed7a5239c82df766

          SHA256

          af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156

          SHA512

          123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

        • C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll

          Filesize

          461KB

          MD5

          0231aebb8155fd069d17eab6a679cc1e

          SHA1

          61cb4b5228e6253863391ef3346c2f9920dbc554

          SHA256

          fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672

          SHA512

          42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

        • C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.dat

          Filesize

          3KB

          MD5

          6abc16ef6bee42099a292af1ac0d2447

          SHA1

          836abf1aac609c49e6ff370425cbab4fd8687d78

          SHA256

          dfe632ae40c5b0115792a976c8c40ec43ec4ecb5aaff0b477113d9a45ade2398

          SHA512

          c438208939ae753b3e6c9e03f4c619b55798de44303362a7586295f6445d0a2de48000623a2242e96e8a20c1471c9cfc4c8ba2672fd27d06a8199cf110d96381

        • C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe

          Filesize

          528KB

          MD5

          9c354249e2b00af7362d8eecaee9b2b2

          SHA1

          13ffdbab9f8df78798ee14ab2640f21eb7deaa67

          SHA256

          69da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023

          SHA512

          55713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119