Analysis
-
max time kernel
178s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 08:14
Static task
static1
Behavioral task
behavioral1
Sample
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
Resource
win10v2004-20220812-en
General
-
Target
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
-
Size
258KB
-
MD5
ce4d81b9eae32702f7d36fef3a11d4e4
-
SHA1
e2b39a9b44b860b53b2843a2d7608365cfcf38fb
-
SHA256
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f
-
SHA512
fbfded2ca180c42a282b747a24b0e323be83cbb790b740cf24b3801e1164056041f19c1363dba532c68030b428b15bdf8b05ce89ebba3d69c913b224bf982e18
-
SSDEEP
6144:GCu1sFLzC0eQJwQABVSmONIk/qtCOWaGC/U4zqQna:GCu1qHC/Q9kSmxVbj/FP
Malware Config
Extracted
lumma
77.73.134.68
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5104-161-0x00000000027F0000-0x000000000280D000-memory.dmp family_rhadamanthys behavioral1/memory/5104-169-0x00000000027F0000-0x000000000280D000-memory.dmp family_rhadamanthys -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5000-133-0x00000000005E0000-0x00000000005E9000-memory.dmp family_smokeloader -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 60 3808 rundll32.exe 66 3808 rundll32.exe 67 3808 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
5937.exe9074.exeB7C4.exepid process 208 5937.exe 3428 9074.exe 5104 B7C4.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3808 rundll32.exe 4448 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3260 208 WerFault.exe 5937.exe 1376 3428 WerFault.exe 9074.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exepid process 5000 cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe 5000 cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2376 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exepid process 5000 cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5937.exeB7C4.exedescription pid process target process PID 2376 wrote to memory of 208 2376 5937.exe PID 2376 wrote to memory of 208 2376 5937.exe PID 2376 wrote to memory of 208 2376 5937.exe PID 2376 wrote to memory of 3428 2376 9074.exe PID 2376 wrote to memory of 3428 2376 9074.exe PID 2376 wrote to memory of 3428 2376 9074.exe PID 208 wrote to memory of 3808 208 5937.exe rundll32.exe PID 208 wrote to memory of 3808 208 5937.exe rundll32.exe PID 208 wrote to memory of 3808 208 5937.exe rundll32.exe PID 2376 wrote to memory of 5104 2376 B7C4.exe PID 2376 wrote to memory of 5104 2376 B7C4.exe PID 2376 wrote to memory of 5104 2376 B7C4.exe PID 5104 wrote to memory of 4448 5104 B7C4.exe rundll32.exe PID 5104 wrote to memory of 4448 5104 B7C4.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe"C:\Users\Admin\AppData\Local\Temp\cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5000
-
C:\Users\Admin\AppData\Local\Temp\5937.exeC:\Users\Admin\AppData\Local\Temp\5937.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 5402⤵
- Program crash
PID:3260
-
C:\Users\Admin\AppData\Local\Temp\9074.exeC:\Users\Admin\AppData\Local\Temp\9074.exe1⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 13162⤵
- Program crash
PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 208 -ip 2081⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\B7C4.exeC:\Users\Admin\AppData\Local\Temp\B7C4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Gb|ADUAYwBrAEKuIwBmAHFDAE89AFjvAE4AaC0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B2⤵
- Loads dropped DLL
PID:4448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3428 -ip 34281⤵PID:2576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5937.exeFilesize
1.1MB
MD5dcbea7655543025cd758fdefafd76cde
SHA1b4075079fc7b3db2373b2d8d0ee07415a146132e
SHA256e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5
SHA512908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6
-
C:\Users\Admin\AppData\Local\Temp\5937.exeFilesize
1.1MB
MD5dcbea7655543025cd758fdefafd76cde
SHA1b4075079fc7b3db2373b2d8d0ee07415a146132e
SHA256e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5
SHA512908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6
-
C:\Users\Admin\AppData\Local\Temp\9074.exeFilesize
276KB
MD5c16ba0f2004c45a448d524867b6dfac5
SHA14511810aaa7ce1542ee94adf00e4f510025a189d
SHA2566b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d
SHA512460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc
-
C:\Users\Admin\AppData\Local\Temp\9074.exeFilesize
276KB
MD5c16ba0f2004c45a448d524867b6dfac5
SHA14511810aaa7ce1542ee94adf00e4f510025a189d
SHA2566b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d
SHA512460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc
-
C:\Users\Admin\AppData\Local\Temp\B7C4.exeFilesize
1.0MB
MD51e0408fa0cac90633797987ab125c82d
SHA137e699aadec3bc595052dcbaf2d7233fbdbb5f80
SHA25680160cd60a1629379972ccfcb193396bd0fbcc8a1b2bebb4a9c9aeea9f56a507
SHA512b5821ee297b40a9f23a89e8b8860bd5681e3f901de4d025f05891b3e91cc21606b1e4139c4c0372458c48abe83c6728e0843d25e89360392ffd8ec7a4456b801
-
C:\Users\Admin\AppData\Local\Temp\B7C4.exeFilesize
1.0MB
MD51e0408fa0cac90633797987ab125c82d
SHA137e699aadec3bc595052dcbaf2d7233fbdbb5f80
SHA25680160cd60a1629379972ccfcb193396bd0fbcc8a1b2bebb4a9c9aeea9f56a507
SHA512b5821ee297b40a9f23a89e8b8860bd5681e3f901de4d025f05891b3e91cc21606b1e4139c4c0372458c48abe83c6728e0843d25e89360392ffd8ec7a4456b801
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dllFilesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
memory/208-142-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/208-137-0x0000000000000000-mapping.dmp
-
memory/208-170-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/208-141-0x00000000022F0000-0x000000000241E000-memory.dmpFilesize
1.2MB
-
memory/208-146-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/208-140-0x0000000002201000-0x00000000022EA000-memory.dmpFilesize
932KB
-
memory/3428-148-0x000000000060D000-0x0000000000627000-memory.dmpFilesize
104KB
-
memory/3428-149-0x00000000005C0000-0x00000000005EA000-memory.dmpFilesize
168KB
-
memory/3428-150-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3428-171-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3428-156-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3428-143-0x0000000000000000-mapping.dmp
-
memory/3808-147-0x0000000000000000-mapping.dmp
-
memory/4448-162-0x0000000000000000-mapping.dmp
-
memory/4448-167-0x00007FF468E30000-0x00007FF468F2A000-memory.dmpFilesize
1000KB
-
memory/4448-165-0x000001A04FCA0000-0x000001A04FCA7000-memory.dmpFilesize
28KB
-
memory/5000-133-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/5000-134-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5000-132-0x000000000063E000-0x0000000000654000-memory.dmpFilesize
88KB
-
memory/5000-136-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5000-135-0x000000000063E000-0x0000000000654000-memory.dmpFilesize
88KB
-
memory/5104-158-0x0000000000400000-0x0000000000509000-memory.dmpFilesize
1.0MB
-
memory/5104-157-0x00000000023E0000-0x0000000002405000-memory.dmpFilesize
148KB
-
memory/5104-159-0x000000000057E000-0x0000000000590000-memory.dmpFilesize
72KB
-
memory/5104-166-0x0000000000400000-0x0000000000509000-memory.dmpFilesize
1.0MB
-
memory/5104-153-0x0000000000000000-mapping.dmp
-
memory/5104-168-0x000000000057E000-0x0000000000590000-memory.dmpFilesize
72KB
-
memory/5104-169-0x00000000027F0000-0x000000000280D000-memory.dmpFilesize
116KB
-
memory/5104-161-0x00000000027F0000-0x000000000280D000-memory.dmpFilesize
116KB
-
memory/5104-160-0x000000000057E000-0x0000000000590000-memory.dmpFilesize
72KB