Analysis
-
max time kernel
90s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
800564a52d3834a9353b51b0fb4b5e96
-
SHA1
729830eb7053a06017062274a9b3deffa4314d41
-
SHA256
a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
-
SHA512
bb47b1e7a92270f382aa2a2106b5d97d486ab2bed69aebcab5bb1582d467b3ccee9f0893261c067197eb5b5397bb0c5acef1a88f9845a1106f3a642c1275b9a7
-
SSDEEP
24576:96oZfKa9OEJ4J56LXaVBf8qFQ4HqiIYV+MfpU2tFD3c1eGDGVqk8ZVjrSOP+U:96opKa9zdLXaVBf5dqir23DGckLO2U
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4716-148-0x0000000000960000-0x000000000097D000-memory.dmp family_rhadamanthys behavioral2/memory/4716-149-0x0000000002790000-0x0000000003790000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4324-142-0x0000000002F10000-0x0000000002F1D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 4248 created 2624 4248 file.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 4248 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 4716 fontview.exe 4716 fontview.exe 4716 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4248 set thread context of 4324 4248 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1492 4248 WerFault.exe file.exe 2600 4248 WerFault.exe file.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
file.exepid process 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe 4248 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 4716 fontview.exe Token: SeCreatePagefilePrivilege 4716 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 4248 wrote to memory of 4324 4248 file.exe ngentask.exe PID 4248 wrote to memory of 4324 4248 file.exe ngentask.exe PID 4248 wrote to memory of 4324 4248 file.exe ngentask.exe PID 4248 wrote to memory of 4324 4248 file.exe ngentask.exe PID 4248 wrote to memory of 4324 4248 file.exe ngentask.exe PID 4248 wrote to memory of 4716 4248 file.exe fontview.exe PID 4248 wrote to memory of 4716 4248 file.exe fontview.exe PID 4248 wrote to memory of 4716 4248 file.exe fontview.exe PID 4248 wrote to memory of 4716 4248 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2624
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 12642⤵
- Program crash
PID:1492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 12722⤵
- Program crash
PID:2600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4248 -ip 42481⤵PID:800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4248 -ip 42481⤵PID:2392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240559515.dllFilesize
335KB
MD5af92bfcb7e4c67628a686accbf4231df
SHA1e5b392743d1731ca6fbe6b344d88028588548cac
SHA256959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe
SHA512553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c
-
memory/4248-133-0x0000000002790000-0x0000000002918000-memory.dmpFilesize
1.5MB
-
memory/4248-134-0x000000000C6D0000-0x000000000C9C2000-memory.dmpFilesize
2.9MB
-
memory/4248-153-0x0000000002790000-0x0000000002918000-memory.dmpFilesize
1.5MB
-
memory/4248-151-0x000000000C6D0000-0x000000000C9C2000-memory.dmpFilesize
2.9MB
-
memory/4248-132-0x000000000C6D0000-0x000000000C9C2000-memory.dmpFilesize
2.9MB
-
memory/4248-150-0x0000000002790000-0x0000000002918000-memory.dmpFilesize
1.5MB
-
memory/4324-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4324-139-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4324-142-0x0000000002F10000-0x0000000002F1D000-memory.dmpFilesize
52KB
-
memory/4324-140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4324-141-0x0000000002EF0000-0x0000000002EF9000-memory.dmpFilesize
36KB
-
memory/4324-135-0x0000000000000000-mapping.dmp
-
memory/4324-136-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4716-144-0x0000000000650000-0x0000000000685000-memory.dmpFilesize
212KB
-
memory/4716-148-0x0000000000960000-0x000000000097D000-memory.dmpFilesize
116KB
-
memory/4716-149-0x0000000002790000-0x0000000003790000-memory.dmpFilesize
16.0MB
-
memory/4716-147-0x0000000000A23000-0x0000000000A26000-memory.dmpFilesize
12KB
-
memory/4716-146-0x0000000000650000-0x0000000000685000-memory.dmpFilesize
212KB
-
memory/4716-152-0x0000000000650000-0x0000000000685000-memory.dmpFilesize
212KB
-
memory/4716-145-0x0000000000000000-mapping.dmp