Analysis
-
max time kernel
106s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2023 18:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
dc36da0558ef0c16cd0cb8126af0f1f2
-
SHA1
79453dae6980710622e51e18a305d0511a227719
-
SHA256
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
-
SHA512
985b27688a33036911de8476707cef04a5a46cd0d5efdf1fdfd345b0bc0fbadd09b65a712567f6944745c3b51a9c741ff4cb5120028ff32661a28c33f6d38e8c
-
SSDEEP
49152:z3SF3DWhFU3AcOHYFv59oa1GOWJNg8ARSuSujF+N84:z3SF3cVSOa1GvNDySbuEN8
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/744-149-0x0000000000800000-0x000000000081D000-memory.dmp family_rhadamanthys behavioral2/memory/744-150-0x00000000024F0000-0x00000000034F0000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2224-142-0x0000000000AB0000-0x0000000000ABD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 1536 created 2848 1536 file.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 1536 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 744 fontview.exe 744 fontview.exe 744 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1536 set thread context of 2224 1536 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3084 1536 WerFault.exe file.exe 1940 1536 WerFault.exe file.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
file.exepid process 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe 1536 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 744 fontview.exe Token: SeCreatePagefilePrivilege 744 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1536 wrote to memory of 2224 1536 file.exe ngentask.exe PID 1536 wrote to memory of 2224 1536 file.exe ngentask.exe PID 1536 wrote to memory of 2224 1536 file.exe ngentask.exe PID 1536 wrote to memory of 2224 1536 file.exe ngentask.exe PID 1536 wrote to memory of 2224 1536 file.exe ngentask.exe PID 1536 wrote to memory of 744 1536 file.exe fontview.exe PID 1536 wrote to memory of 744 1536 file.exe fontview.exe PID 1536 wrote to memory of 744 1536 file.exe fontview.exe PID 1536 wrote to memory of 744 1536 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵PID:2224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 4802⤵
- Program crash
PID:3084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 5042⤵
- Program crash
PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1536 -ip 15361⤵PID:3720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1536 -ip 15361⤵PID:3596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240542734.dllFilesize
335KB
MD5af92bfcb7e4c67628a686accbf4231df
SHA1e5b392743d1731ca6fbe6b344d88028588548cac
SHA256959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe
SHA512553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c
-
memory/744-148-0x00000000008E5000-0x00000000008E7000-memory.dmpFilesize
8KB
-
memory/744-153-0x0000000000150000-0x0000000000185000-memory.dmpFilesize
212KB
-
memory/744-144-0x0000000000150000-0x0000000000185000-memory.dmpFilesize
212KB
-
memory/744-146-0x0000000000150000-0x0000000000185000-memory.dmpFilesize
212KB
-
memory/744-145-0x0000000000000000-mapping.dmp
-
memory/744-147-0x00000000008E5000-0x00000000008E7000-memory.dmpFilesize
8KB
-
memory/744-149-0x0000000000800000-0x000000000081D000-memory.dmpFilesize
116KB
-
memory/744-150-0x00000000024F0000-0x00000000034F0000-memory.dmpFilesize
16.0MB
-
memory/1536-152-0x000000000F110000-0x000000000F40A000-memory.dmpFilesize
3.0MB
-
memory/1536-133-0x00000000028C0000-0x0000000002A4A000-memory.dmpFilesize
1.5MB
-
memory/1536-151-0x00000000028C0000-0x0000000002A4A000-memory.dmpFilesize
1.5MB
-
memory/1536-132-0x000000000F110000-0x000000000F40A000-memory.dmpFilesize
3.0MB
-
memory/1536-134-0x000000000F110000-0x000000000F40A000-memory.dmpFilesize
3.0MB
-
memory/1536-154-0x00000000028C0000-0x0000000002A4A000-memory.dmpFilesize
1.5MB
-
memory/2224-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2224-136-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2224-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2224-135-0x0000000000000000-mapping.dmp
-
memory/2224-141-0x0000000000A90000-0x0000000000A99000-memory.dmpFilesize
36KB
-
memory/2224-142-0x0000000000AB0000-0x0000000000ABD000-memory.dmpFilesize
52KB
-
memory/2224-139-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB