Analysis

  • max time kernel
    104s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:18

General

  • Target

    2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe

  • Size

    278KB

  • MD5

    8dfb9eb86ac79a8bfa8edf9c720fbcf9

  • SHA1

    45270926ce72bdfa345bf6c04619de1af344dd40

  • SHA256

    6f5a07dbd1e3e8975fded7630b89cfb1fac97928bcecb339a53aa44541973d72

  • SHA512

    0773fd54cc568763b9d7d6dfe59686368089ede9e991e19850e21396d7b32492fce6c0da51e1db315e23544f81e2a1c16b82698f3e2c81084b27a2761551e56f

  • SSDEEP

    6144:qKAFwOu2CBtvvQ93MeDm6fLUqn8BMP+AA6k4D68wN:SCBtv+Meq6fYqn8BMWAACD68wN

Malware Config

Signatures

  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:5232
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2396
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:17410 /prefetch:2
      2⤵
      • Unexpected DNS network traffic destination
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4960

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/5232-0-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

        • memory/5232-1-0x000000000042D000-0x000000000042E000-memory.dmp

          Filesize

          4KB

        • memory/5232-11-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB