Analysis
-
max time kernel
98s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2023 19:52
Static task
static1
Behavioral task
behavioral1
Sample
3db927e91aa47ba30e91c0aa6bc9cd31.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3db927e91aa47ba30e91c0aa6bc9cd31.exe
Resource
win10v2004-20221111-en
General
-
Target
3db927e91aa47ba30e91c0aa6bc9cd31.exe
-
Size
1.7MB
-
MD5
3db927e91aa47ba30e91c0aa6bc9cd31
-
SHA1
cad0e1f5ee6ddc8b4e0e785d034bcb793d03ac8a
-
SHA256
d25cffb2218f3a928e86fa11cfc0934da096abdeaf2fbaa53eb3313ecdd89ee2
-
SHA512
066d6783d29a435acd9cf81fa868b56376621fe45064a192799a809eb177eeacb0f39e126e6747d772b3125fb26db0d9f2e673655c928380d3d1ce55b2198e98
-
SSDEEP
49152:rRycJuiThl8k6xTU/gP0vSI2ok4tWIg3OM/:1ycJuiThl8k6x+gMvj2v4QIyOO
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1124-149-0x0000000000A00000-0x0000000000A1D000-memory.dmp family_rhadamanthys behavioral2/memory/1124-150-0x0000000002800000-0x0000000003800000-memory.dmp family_rhadamanthys behavioral2/memory/1124-154-0x0000000000A00000-0x0000000000A1D000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4088-142-0x0000000000CA0000-0x0000000000CAD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
3db927e91aa47ba30e91c0aa6bc9cd31.exedescription pid process target process PID 2700 created 2780 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
3db927e91aa47ba30e91c0aa6bc9cd31.exepid process 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 1124 fontview.exe 1124 fontview.exe 1124 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3db927e91aa47ba30e91c0aa6bc9cd31.exedescription pid process target process PID 2700 set thread context of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2952 2700 WerFault.exe 3db927e91aa47ba30e91c0aa6bc9cd31.exe 684 2700 WerFault.exe 3db927e91aa47ba30e91c0aa6bc9cd31.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
3db927e91aa47ba30e91c0aa6bc9cd31.exepid process 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 1124 fontview.exe Token: SeCreatePagefilePrivilege 1124 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3db927e91aa47ba30e91c0aa6bc9cd31.exedescription pid process target process PID 2700 wrote to memory of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe PID 2700 wrote to memory of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe PID 2700 wrote to memory of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe PID 2700 wrote to memory of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe PID 2700 wrote to memory of 4088 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe ngentask.exe PID 2700 wrote to memory of 1124 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe fontview.exe PID 2700 wrote to memory of 1124 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe fontview.exe PID 2700 wrote to memory of 1124 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe fontview.exe PID 2700 wrote to memory of 1124 2700 3db927e91aa47ba30e91c0aa6bc9cd31.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3db927e91aa47ba30e91c0aa6bc9cd31.exe"C:\Users\Admin\AppData\Local\Temp\3db927e91aa47ba30e91c0aa6bc9cd31.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 12642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 12562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2700 -ip 27001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2700 -ip 27001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240552656.dllFilesize
335KB
MD5af92bfcb7e4c67628a686accbf4231df
SHA1e5b392743d1731ca6fbe6b344d88028588548cac
SHA256959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe
SHA512553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c
-
memory/1124-148-0x0000000000A45000-0x0000000000A47000-memory.dmpFilesize
8KB
-
memory/1124-150-0x0000000002800000-0x0000000003800000-memory.dmpFilesize
16.0MB
-
memory/1124-145-0x0000000000000000-mapping.dmp
-
memory/1124-144-0x0000000000700000-0x0000000000735000-memory.dmpFilesize
212KB
-
memory/1124-154-0x0000000000A00000-0x0000000000A1D000-memory.dmpFilesize
116KB
-
memory/1124-153-0x0000000000700000-0x0000000000735000-memory.dmpFilesize
212KB
-
memory/1124-147-0x0000000000A45000-0x0000000000A47000-memory.dmpFilesize
8KB
-
memory/1124-149-0x0000000000A00000-0x0000000000A1D000-memory.dmpFilesize
116KB
-
memory/1124-146-0x0000000000700000-0x0000000000735000-memory.dmpFilesize
212KB
-
memory/2700-152-0x000000000BA30000-0x000000000BD0F000-memory.dmpFilesize
2.9MB
-
memory/2700-155-0x0000000002620000-0x00000000027AB000-memory.dmpFilesize
1.5MB
-
memory/2700-151-0x0000000002620000-0x00000000027AB000-memory.dmpFilesize
1.5MB
-
memory/2700-133-0x000000000BA30000-0x000000000BD0F000-memory.dmpFilesize
2.9MB
-
memory/2700-134-0x000000000BA30000-0x000000000BD0F000-memory.dmpFilesize
2.9MB
-
memory/2700-132-0x0000000002620000-0x00000000027AB000-memory.dmpFilesize
1.5MB
-
memory/4088-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4088-142-0x0000000000CA0000-0x0000000000CAD000-memory.dmpFilesize
52KB
-
memory/4088-135-0x0000000000000000-mapping.dmp
-
memory/4088-141-0x0000000000C80000-0x0000000000C89000-memory.dmpFilesize
36KB
-
memory/4088-139-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4088-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4088-136-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB