Analysis
-
max time kernel
1800s -
max time network
1587s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
dc36da0558ef0c16cd0cb8126af0f1f2
-
SHA1
79453dae6980710622e51e18a305d0511a227719
-
SHA256
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
-
SHA512
985b27688a33036911de8476707cef04a5a46cd0d5efdf1fdfd345b0bc0fbadd09b65a712567f6944745c3b51a9c741ff4cb5120028ff32661a28c33f6d38e8c
-
SSDEEP
49152:z3SF3DWhFU3AcOHYFv59oa1GOWJNg8ARSuSujF+N84:z3SF3cVSOa1GvNDySbuEN8
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2472-149-0x00000000006E0000-0x00000000006FD000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3412-142-0x00000000013A0000-0x00000000013AD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 3468 created 2548 3468 file.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 3468 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 2472 fontview.exe 2472 fontview.exe 2472 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 3468 set thread context of 3412 3468 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 224 3468 WerFault.exe file.exe 2636 3468 WerFault.exe file.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exetaskmgr.exepid process 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 3468 file.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2304 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fontview.exetaskmgr.exedescription pid process Token: SeShutdownPrivilege 2472 fontview.exe Token: SeCreatePagefilePrivilege 2472 fontview.exe Token: SeDebugPrivilege 2304 taskmgr.exe Token: SeSystemProfilePrivilege 2304 taskmgr.exe Token: SeCreateGlobalPrivilege 2304 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe 2304 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 3468 wrote to memory of 3412 3468 file.exe ngentask.exe PID 3468 wrote to memory of 3412 3468 file.exe ngentask.exe PID 3468 wrote to memory of 3412 3468 file.exe ngentask.exe PID 3468 wrote to memory of 3412 3468 file.exe ngentask.exe PID 3468 wrote to memory of 3412 3468 file.exe ngentask.exe PID 3468 wrote to memory of 2472 3468 file.exe fontview.exe PID 3468 wrote to memory of 2472 3468 file.exe fontview.exe PID 3468 wrote to memory of 2472 3468 file.exe fontview.exe PID 3468 wrote to memory of 2472 3468 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 12002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 11042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3468 -ip 34681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3468 -ip 34681⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240550531.dllFilesize
335KB
MD5af92bfcb7e4c67628a686accbf4231df
SHA1e5b392743d1731ca6fbe6b344d88028588548cac
SHA256959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe
SHA512553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c
-
memory/2472-148-0x0000000000765000-0x0000000000767000-memory.dmpFilesize
8KB
-
memory/2472-147-0x0000000000765000-0x0000000000767000-memory.dmpFilesize
8KB
-
memory/2472-144-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2472-146-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2472-145-0x0000000000000000-mapping.dmp
-
memory/2472-153-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2472-150-0x0000000002670000-0x0000000003670000-memory.dmpFilesize
16.0MB
-
memory/2472-149-0x00000000006E0000-0x00000000006FD000-memory.dmpFilesize
116KB
-
memory/3412-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3412-135-0x0000000000000000-mapping.dmp
-
memory/3412-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3412-136-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3412-142-0x00000000013A0000-0x00000000013AD000-memory.dmpFilesize
52KB
-
memory/3412-141-0x0000000001380000-0x0000000001389000-memory.dmpFilesize
36KB
-
memory/3412-139-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3468-133-0x000000000DDA0000-0x000000000E09A000-memory.dmpFilesize
3.0MB
-
memory/3468-132-0x00000000032A0000-0x000000000342A000-memory.dmpFilesize
1.5MB
-
memory/3468-134-0x000000000DDA0000-0x000000000E09A000-memory.dmpFilesize
3.0MB
-
memory/3468-151-0x00000000032A0000-0x000000000342A000-memory.dmpFilesize
1.5MB
-
memory/3468-152-0x000000000DDA0000-0x000000000E09A000-memory.dmpFilesize
3.0MB
-
memory/3468-154-0x00000000032A0000-0x000000000342A000-memory.dmpFilesize
1.5MB