Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 02:05
Static task
static1
Behavioral task
behavioral1
Sample
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe
Resource
win10v2004-20221111-en
General
-
Target
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe
-
Size
1.7MB
-
MD5
3d631a7559e59537a57e9fbef5dc9d8c
-
SHA1
6f6bbfab293562ac339e2f2134c76e6aa99be5fb
-
SHA256
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4
-
SHA512
425e65bdac791e92ee0d375da3047fe0dfc73950728b5c68df64991970cbde940896c388947585f6201cc1a5e769773d9290ff443c202e32ee55a603f87ee0e9
-
SSDEEP
49152:tQGiOdmVLsuiPTEVGdiNoVBe9ihFL3LvBH8:tQGiHQTldiNo09CzLvBc
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3124-151-0x0000000001570000-0x000000000158D000-memory.dmp family_rhadamanthys behavioral1/memory/3124-156-0x0000000001570000-0x000000000158D000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4128-144-0x00000000025F0000-0x00000000025FD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exedescription pid process target process PID 3368 created 2920 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exepid process 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 3124 fontview.exe 3124 fontview.exe 3124 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exedescription pid process target process PID 3368 set thread context of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5092 3368 WerFault.exe 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3556 3368 WerFault.exe 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exepid process 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 3124 fontview.exe Token: SeCreatePagefilePrivilege 3124 fontview.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exedescription pid process target process PID 3368 wrote to memory of 5052 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 5052 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 5052 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 448 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 448 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 448 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 4128 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe ngentask.exe PID 3368 wrote to memory of 3124 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe fontview.exe PID 3368 wrote to memory of 3124 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe fontview.exe PID 3368 wrote to memory of 3124 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe fontview.exe PID 3368 wrote to memory of 3124 3368 9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe"C:\Users\Admin\AppData\Local\Temp\9ba9a2feb73a5cf966c84486493cd6794723538f57e9100d7e5f3bf83c148ba4.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 12642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3368 -ip 33681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3368 -ip 33681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240559546.dllFilesize
442KB
MD5acf51213c2e0b564c28cf0db859c9e38
SHA10ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0
SHA256643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7
SHA51215f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed
-
memory/448-136-0x0000000000000000-mapping.dmp
-
memory/3124-151-0x0000000001570000-0x000000000158D000-memory.dmpFilesize
116KB
-
memory/3124-147-0x0000000000000000-mapping.dmp
-
memory/3124-146-0x0000000001270000-0x00000000012A5000-memory.dmpFilesize
212KB
-
memory/3124-156-0x0000000001570000-0x000000000158D000-memory.dmpFilesize
116KB
-
memory/3124-155-0x0000000001270000-0x00000000012A5000-memory.dmpFilesize
212KB
-
memory/3124-153-0x00000000033E0000-0x00000000043E0000-memory.dmpFilesize
16.0MB
-
memory/3124-150-0x00000000015A5000-0x00000000015A7000-memory.dmpFilesize
8KB
-
memory/3124-149-0x00000000015A5000-0x00000000015A7000-memory.dmpFilesize
8KB
-
memory/3124-148-0x0000000001270000-0x00000000012A5000-memory.dmpFilesize
212KB
-
memory/3368-132-0x000000000C610000-0x000000000C924000-memory.dmpFilesize
3.1MB
-
memory/3368-152-0x0000000002450000-0x00000000025F0000-memory.dmpFilesize
1.6MB
-
memory/3368-157-0x0000000002450000-0x00000000025F0000-memory.dmpFilesize
1.6MB
-
memory/3368-133-0x0000000002450000-0x00000000025F0000-memory.dmpFilesize
1.6MB
-
memory/3368-134-0x000000000C610000-0x000000000C924000-memory.dmpFilesize
3.1MB
-
memory/3368-154-0x000000000C610000-0x000000000C924000-memory.dmpFilesize
3.1MB
-
memory/4128-143-0x00000000025D0000-0x00000000025D9000-memory.dmpFilesize
36KB
-
memory/4128-141-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4128-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4128-142-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4128-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4128-137-0x0000000000000000-mapping.dmp
-
memory/4128-144-0x00000000025F0000-0x00000000025FD000-memory.dmpFilesize
52KB
-
memory/5052-135-0x0000000000000000-mapping.dmp