Overview

overview

10

Static

static

cba50262e4...e6.exe

windows7-x64

8

cba50262e4...e6.exe

windows10-2004-x64

10

Resubmissions

17-01-2023 00:12

230117-ag8resbf4t 10

16-01-2023 22:23

230116-2awbasad3z 10

Analysis

  • max time kernel
    223s
  • max time network
    298s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2023 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba50262e42c695572cd4591b025a3f81d28243faed9db98583af59639914be6.exe

  • Size

    404.2MB

  • MD5

    fcb4b9dfe2f6ed4504410160001d03a7

  • SHA1

    2b66273ea2797e5ba3e33582da6d0f91f5e7833c

  • SHA256

    cba50262e42c695572cd4591b025a3f81d28243faed9db98583af59639914be6

  • SHA512

    3373699f165aab7cccfb6062ac3c3a49d76fc7591f971a76ce4e6d3eb7e1f0fdfad2d71a7632bd5013a44d8b718ef510f3198c87572f58d828c5d68a613a9efa

  • SSDEEP

    49152:At33d2m6BN4NPGonVbx5Y3Va5i/QWKxLBNZZcAt:iQozTG3Va5iYJxLB7ZcA

Score
10/10
rhadamanthyssystembcstealertrojan

Malware Config

Extracted

Family

systembc

C2

45.147.197.24:4001

80.89.234.122:4001

Signatures

  • Detect rhadamanthys stealer shellcode 3 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2420
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
    • C:\Users\Admin\AppData\Local\Temp\cba50262e42c695572cd4591b025a3f81d28243faed9db98583af59639914be6.exe
      "C:\Users\Admin\AppData\Local\Temp\cba50262e42c695572cd4591b025a3f81d28243faed9db98583af59639914be6.exe"
      1⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Pedadak moquihi kevevor ceg koxo mevologi\Jamokam quaqui woqueye yexoses mihoko foquaneh dajetifa hawohij darivif.exe"
        2⤵
        • Creates scheduled task(s)
        PID:5052
      • C:\Users\Admin\Pedadak moquihi kevevor ceg koxo mevologi\Jamokam quaqui woqueye yexoses mihoko foquaneh dajetifa hawohij darivif.exe
        "C:\Users\Admin\Pedadak moquihi kevevor ceg koxo mevologi\Jamokam quaqui woqueye yexoses mihoko foquaneh dajetifa hawohij darivif.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          3⤵
            PID:3656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 576
            3⤵
            • Program crash
            PID:3132
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1276
            3⤵
            • Program crash
            PID:392
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cba50262e42c695572cd4591b025a3f81d28243faed9db98583af59639914be6.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:3928
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:3592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3544 -ip 3544
          1⤵
            PID:2392
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3544 -ip 3544
            1⤵
              PID:3736

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Peripheral Device Discovery

            1
            T1120

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\240615062.dll
              Filesize

              442KB

              MD5

              acf51213c2e0b564c28cf0db859c9e38

              SHA1

              0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0

              SHA256

              643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7

              SHA512

              15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed

              Download Submit
            • C:\Users\Admin\Pedadak moquihi kevevor ceg koxo mevologi\Jamokam quaqui woqueye yexoses mihoko foquaneh dajetifa hawohij darivif.exe
              Filesize

              1210.2MB

              MD5

              4ae3a6bc5a292dd96a365bb7356be231

              SHA1

              cabfa1f7ce383921cac2e1a50d917b2d2414bd44

              SHA256

              7d7dbf63e548d2a9f1c39af623693755229f89f752ac0b6b69ee562c22687c98

              SHA512

              01672f0e37cb412e2d128850ce2ac2f8cd390c1d8d0c1e4efb51a186cc861dd74a477d9eef23dcc51e303752c0c16bc093ff15cdc261be04231dafe570ff708d

              Download Submit
            • C:\Users\Admin\Pedadak moquihi kevevor ceg koxo mevologi\Jamokam quaqui woqueye yexoses mihoko foquaneh dajetifa hawohij darivif.exe
              Filesize

              1210.2MB

              MD5

              4ae3a6bc5a292dd96a365bb7356be231

              SHA1

              cabfa1f7ce383921cac2e1a50d917b2d2414bd44

              SHA256

              7d7dbf63e548d2a9f1c39af623693755229f89f752ac0b6b69ee562c22687c98

              SHA512

              01672f0e37cb412e2d128850ce2ac2f8cd390c1d8d0c1e4efb51a186cc861dd74a477d9eef23dcc51e303752c0c16bc093ff15cdc261be04231dafe570ff708d

              Download Submit
            • memory/2340-158-0x0000000000865000-0x0000000000867000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2340-153-0x0000000000000000-mapping.dmp
              Download
            • memory/2340-162-0x0000000000BB0000-0x0000000000BCD000-memory.dmp
              Filesize

              116KB

              Download
            • memory/2340-152-0x0000000000420000-0x0000000000455000-memory.dmp
              Filesize

              212KB

              Download
            • memory/2340-161-0x0000000000420000-0x0000000000455000-memory.dmp
              Filesize

              212KB

              Download
            • memory/2340-160-0x00000000026D0000-0x00000000036D0000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/2340-159-0x0000000000BB0000-0x0000000000BCD000-memory.dmp
              Filesize

              116KB

              Download
            • memory/2340-154-0x0000000000420000-0x0000000000455000-memory.dmp
              Filesize

              212KB

              Download
            • memory/2340-157-0x0000000000865000-0x0000000000867000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3544-142-0x000000000F130000-0x000000000F18E000-memory.dmp
              Filesize

              376KB

              Download
            • memory/3544-144-0x000000000F130000-0x000000000F18E000-memory.dmp
              Filesize

              376KB

              Download
            • memory/3544-143-0x00000000033F0000-0x0000000003550000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/3544-156-0x000000000F130000-0x000000000F18E000-memory.dmp
              Filesize

              376KB

              Download
            • memory/3544-155-0x00000000033F0000-0x0000000003550000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/3544-135-0x0000000000000000-mapping.dmp
              Download
            • memory/3544-163-0x00000000033F0000-0x0000000003550000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/3592-141-0x0000000000000000-mapping.dmp
              Download
            • memory/3656-146-0x0000000000400000-0x0000000000407000-memory.dmp
              Filesize

              28KB

              Download
            • memory/3656-150-0x0000000000400000-0x0000000000407000-memory.dmp
              Filesize

              28KB

              Download
            • memory/3656-148-0x0000000000400000-0x0000000000407000-memory.dmp
              Filesize

              28KB

              Download
            • memory/3656-145-0x0000000000000000-mapping.dmp
              Download
            • memory/3884-138-0x0000000000000000-mapping.dmp
              Download
            • memory/3928-140-0x0000000000000000-mapping.dmp
              Download
            • memory/4512-132-0x0000000003290000-0x00000000033F0000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4512-139-0x0000000003290000-0x00000000033F0000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4512-133-0x0000000003290000-0x00000000033F0000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/5052-134-0x0000000000000000-mapping.dmp
              Download