Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2023 11:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
d62c0adb7bb8113e33b6d1edc9a1a511
-
SHA1
c527022d7a129c12c5b71116da750f41cf9d868f
-
SHA256
140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5
-
SHA512
bf9687f7a2694939818d3a4e58171d6b80204e85f4e1f32bcdb060eb66ece38370e08107253e4687df57f132fdb1f24ef3ac3cdc31dad553b203821ff4d38ddb
-
SSDEEP
49152:VKX23JkRwZq810P9GNu8Tj05WQOmtgEdnXROt0OQ:VKm3KRwZq810PgN1QwmtgEdnXROK9
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1856-149-0x0000000001260000-0x000000000127D000-memory.dmp family_rhadamanthys behavioral2/memory/1856-154-0x0000000001260000-0x000000000127D000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4372-142-0x0000000002B30000-0x0000000002B3D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 3152 created 2660 3152 file.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 3152 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 1856 fontview.exe 1856 fontview.exe 1856 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 3152 set thread context of 4372 3152 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2292 3152 WerFault.exe file.exe 1836 3152 WerFault.exe file.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
file.exepid process 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe 3152 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 1856 fontview.exe Token: SeCreatePagefilePrivilege 1856 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 3152 wrote to memory of 4372 3152 file.exe ngentask.exe PID 3152 wrote to memory of 4372 3152 file.exe ngentask.exe PID 3152 wrote to memory of 4372 3152 file.exe ngentask.exe PID 3152 wrote to memory of 4372 3152 file.exe ngentask.exe PID 3152 wrote to memory of 4372 3152 file.exe ngentask.exe PID 3152 wrote to memory of 1856 3152 file.exe fontview.exe PID 3152 wrote to memory of 1856 3152 file.exe fontview.exe PID 3152 wrote to memory of 1856 3152 file.exe fontview.exe PID 3152 wrote to memory of 1856 3152 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2660
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 5762⤵
- Program crash
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 8362⤵
- Program crash
PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3152 -ip 31521⤵PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3152 -ip 31521⤵PID:1840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240546203.dllFilesize
335KB
MD5af92bfcb7e4c67628a686accbf4231df
SHA1e5b392743d1731ca6fbe6b344d88028588548cac
SHA256959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe
SHA512553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c
-
memory/1856-148-0x00000000012B5000-0x00000000012B7000-memory.dmpFilesize
8KB
-
memory/1856-151-0x0000000000D50000-0x0000000000D85000-memory.dmpFilesize
212KB
-
memory/1856-145-0x0000000000000000-mapping.dmp
-
memory/1856-144-0x0000000000D50000-0x0000000000D85000-memory.dmpFilesize
212KB
-
memory/1856-147-0x00000000012B5000-0x00000000012B7000-memory.dmpFilesize
8KB
-
memory/1856-154-0x0000000001260000-0x000000000127D000-memory.dmpFilesize
116KB
-
memory/1856-150-0x0000000003010000-0x0000000004010000-memory.dmpFilesize
16.0MB
-
memory/1856-149-0x0000000001260000-0x000000000127D000-memory.dmpFilesize
116KB
-
memory/1856-146-0x0000000000D50000-0x0000000000D85000-memory.dmpFilesize
212KB
-
memory/3152-152-0x0000000002880000-0x0000000002A03000-memory.dmpFilesize
1.5MB
-
memory/3152-155-0x0000000002880000-0x0000000002A03000-memory.dmpFilesize
1.5MB
-
memory/3152-133-0x0000000002880000-0x0000000002A03000-memory.dmpFilesize
1.5MB
-
memory/3152-134-0x000000000C3C0000-0x000000000C69C000-memory.dmpFilesize
2.9MB
-
memory/3152-153-0x000000000C3C0000-0x000000000C69C000-memory.dmpFilesize
2.9MB
-
memory/3152-132-0x000000000C3C0000-0x000000000C69C000-memory.dmpFilesize
2.9MB
-
memory/4372-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4372-142-0x0000000002B30000-0x0000000002B3D000-memory.dmpFilesize
52KB
-
memory/4372-135-0x0000000000000000-mapping.dmp
-
memory/4372-141-0x0000000002B10000-0x0000000002B19000-memory.dmpFilesize
36KB
-
memory/4372-139-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4372-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4372-136-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB