Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2023, 14:26
Static task
static1
Behavioral task
behavioral1
Sample
b1a344376e55c7c93928dd79e69f9aa3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b1a344376e55c7c93928dd79e69f9aa3.exe
Resource
win10v2004-20220901-en
General
-
Target
b1a344376e55c7c93928dd79e69f9aa3.exe
-
Size
5.3MB
-
MD5
b1a344376e55c7c93928dd79e69f9aa3
-
SHA1
7274777ea6e14d7c81a163bc48bec63c184532bd
-
SHA256
63043e1230b491042c4a30039ae44055b99134597aaf5f659822dc321489992d
-
SHA512
d0466fdeab8ccc3299da24aea54c9404afca965f2c5ee7730c6f9490ca06940db74aeff1bb25c15f9f8782b686eead8512d990df4fa617e5c05965ec1174fd00
-
SSDEEP
98304:Bvk3ipZhMK/1fc3qjFhQ+bJduoBUxxMRdrxEpJwp:Bvk3cZhPpJHJdLBUDMLrxEp2p
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
resource yara_rule behavioral2/memory/4276-158-0x0000000000750000-0x000000000076D000-memory.dmp family_rhadamanthys behavioral2/memory/4276-161-0x0000000000750000-0x000000000076D000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1336 created 2396 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 40 -
Loads dropped DLL 1 IoCs
pid Process 1336 b1a344376e55c7c93928dd79e69f9aa3.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4276 fontview.exe 4276 fontview.exe 4276 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1336 set thread context of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 1336 b1a344376e55c7c93928dd79e69f9aa3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 740 wmic.exe Token: SeSecurityPrivilege 740 wmic.exe Token: SeTakeOwnershipPrivilege 740 wmic.exe Token: SeLoadDriverPrivilege 740 wmic.exe Token: SeSystemProfilePrivilege 740 wmic.exe Token: SeSystemtimePrivilege 740 wmic.exe Token: SeProfSingleProcessPrivilege 740 wmic.exe Token: SeIncBasePriorityPrivilege 740 wmic.exe Token: SeCreatePagefilePrivilege 740 wmic.exe Token: SeBackupPrivilege 740 wmic.exe Token: SeRestorePrivilege 740 wmic.exe Token: SeShutdownPrivilege 740 wmic.exe Token: SeDebugPrivilege 740 wmic.exe Token: SeSystemEnvironmentPrivilege 740 wmic.exe Token: SeRemoteShutdownPrivilege 740 wmic.exe Token: SeUndockPrivilege 740 wmic.exe Token: SeManageVolumePrivilege 740 wmic.exe Token: 33 740 wmic.exe Token: 34 740 wmic.exe Token: 35 740 wmic.exe Token: 36 740 wmic.exe Token: SeIncreaseQuotaPrivilege 740 wmic.exe Token: SeSecurityPrivilege 740 wmic.exe Token: SeTakeOwnershipPrivilege 740 wmic.exe Token: SeLoadDriverPrivilege 740 wmic.exe Token: SeSystemProfilePrivilege 740 wmic.exe Token: SeSystemtimePrivilege 740 wmic.exe Token: SeProfSingleProcessPrivilege 740 wmic.exe Token: SeIncBasePriorityPrivilege 740 wmic.exe Token: SeCreatePagefilePrivilege 740 wmic.exe Token: SeBackupPrivilege 740 wmic.exe Token: SeRestorePrivilege 740 wmic.exe Token: SeShutdownPrivilege 740 wmic.exe Token: SeDebugPrivilege 740 wmic.exe Token: SeSystemEnvironmentPrivilege 740 wmic.exe Token: SeRemoteShutdownPrivilege 740 wmic.exe Token: SeUndockPrivilege 740 wmic.exe Token: SeManageVolumePrivilege 740 wmic.exe Token: 33 740 wmic.exe Token: 34 740 wmic.exe Token: 35 740 wmic.exe Token: 36 740 wmic.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe Token: SeSecurityPrivilege 3992 WMIC.exe Token: SeTakeOwnershipPrivilege 3992 WMIC.exe Token: SeLoadDriverPrivilege 3992 WMIC.exe Token: SeSystemProfilePrivilege 3992 WMIC.exe Token: SeSystemtimePrivilege 3992 WMIC.exe Token: SeProfSingleProcessPrivilege 3992 WMIC.exe Token: SeIncBasePriorityPrivilege 3992 WMIC.exe Token: SeCreatePagefilePrivilege 3992 WMIC.exe Token: SeBackupPrivilege 3992 WMIC.exe Token: SeRestorePrivilege 3992 WMIC.exe Token: SeShutdownPrivilege 3992 WMIC.exe Token: SeDebugPrivilege 3992 WMIC.exe Token: SeSystemEnvironmentPrivilege 3992 WMIC.exe Token: SeRemoteShutdownPrivilege 3992 WMIC.exe Token: SeUndockPrivilege 3992 WMIC.exe Token: SeManageVolumePrivilege 3992 WMIC.exe Token: 33 3992 WMIC.exe Token: 34 3992 WMIC.exe Token: 35 3992 WMIC.exe Token: 36 3992 WMIC.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 PID 1336 wrote to memory of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 PID 1336 wrote to memory of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 PID 1336 wrote to memory of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 PID 1336 wrote to memory of 1960 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 85 PID 1336 wrote to memory of 4276 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 88 PID 1336 wrote to memory of 4276 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 88 PID 1336 wrote to memory of 4276 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 88 PID 1336 wrote to memory of 4276 1336 b1a344376e55c7c93928dd79e69f9aa3.exe 88 PID 1960 wrote to memory of 740 1960 ngentask.exe 89 PID 1960 wrote to memory of 740 1960 ngentask.exe 89 PID 1960 wrote to memory of 740 1960 ngentask.exe 89 PID 1960 wrote to memory of 4544 1960 ngentask.exe 91 PID 1960 wrote to memory of 4544 1960 ngentask.exe 91 PID 1960 wrote to memory of 4544 1960 ngentask.exe 91 PID 4544 wrote to memory of 3992 4544 cmd.exe 93 PID 4544 wrote to memory of 3992 4544 cmd.exe 93 PID 4544 wrote to memory of 3992 4544 cmd.exe 93 PID 1960 wrote to memory of 3872 1960 ngentask.exe 94 PID 1960 wrote to memory of 3872 1960 ngentask.exe 94 PID 1960 wrote to memory of 3872 1960 ngentask.exe 94 PID 3872 wrote to memory of 4916 3872 cmd.exe 96 PID 3872 wrote to memory of 4916 3872 cmd.exe 96 PID 3872 wrote to memory of 4916 3872 cmd.exe 96
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2396
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe"C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name4⤵PID:4916
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD5acf51213c2e0b564c28cf0db859c9e38
SHA10ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0
SHA256643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7
SHA51215f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed