Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2023 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    800564a52d3834a9353b51b0fb4b5e96

  • SHA1

    729830eb7053a06017062274a9b3deffa4314d41

  • SHA256

    a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2

  • SHA512

    bb47b1e7a92270f382aa2a2106b5d97d486ab2bed69aebcab5bb1582d467b3ccee9f0893261c067197eb5b5397bb0c5acef1a88f9845a1106f3a642c1275b9a7

  • SSDEEP

    24576:96oZfKa9OEJ4J56LXaVBf8qFQ4HqiIYV+MfpU2tFD3c1eGDGVqk8ZVjrSOP+U:96opKa9zdLXaVBf5dqir23DGckLO2U

Score
10/10
lgoogloaderrhadamanthysdownloaderstealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 2 IoCs
  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2624
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4716
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:4324
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1264
          2⤵
          • Program crash
          PID:1492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1272
          2⤵
          • Program crash
          PID:2600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4248 -ip 4248
        1⤵
          PID:800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4248 -ip 4248
          1⤵
            PID:2392

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\240559515.dll
            Filesize

            335KB

            MD5

            af92bfcb7e4c67628a686accbf4231df

            SHA1

            e5b392743d1731ca6fbe6b344d88028588548cac

            SHA256

            959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe

            SHA512

            553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c

            Download Submit
          • memory/4248-133-0x0000000002790000-0x0000000002918000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/4248-134-0x000000000C6D0000-0x000000000C9C2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/4248-153-0x0000000002790000-0x0000000002918000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/4248-151-0x000000000C6D0000-0x000000000C9C2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/4248-132-0x000000000C6D0000-0x000000000C9C2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/4248-150-0x0000000002790000-0x0000000002918000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/4324-138-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4324-139-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4324-142-0x0000000002F10000-0x0000000002F1D000-memory.dmp
            Filesize

            52KB

            Download
          • memory/4324-140-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4324-141-0x0000000002EF0000-0x0000000002EF9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4324-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4324-136-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4716-144-0x0000000000650000-0x0000000000685000-memory.dmp
            Filesize

            212KB

            Download
          • memory/4716-148-0x0000000000960000-0x000000000097D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/4716-149-0x0000000002790000-0x0000000003790000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/4716-147-0x0000000000A23000-0x0000000000A26000-memory.dmp
            Filesize

            12KB

            Download
          • memory/4716-146-0x0000000000650000-0x0000000000685000-memory.dmp
            Filesize

            212KB

            Download
          • memory/4716-152-0x0000000000650000-0x0000000000685000-memory.dmp
            Filesize

            212KB

            Download
          • memory/4716-145-0x0000000000000000-mapping.dmp
            Download