Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2023 17:04
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
2.0MB
-
MD5
083b5ff18230518a7726e0701b6cb24e
-
SHA1
4f20797af1ac735c735a10f57bf5e643c5418265
-
SHA256
4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d
-
SHA512
62c3da115e2628b45fa2afb8f5f9f15503db1d0c41a35aac18a4c7c1128e8d2b8aea0c386d20c08b9bfe55ca5791365fd4e84a3029a68396061156fbb7952dd7
-
SSDEEP
24576:Jj9GViAmhHq2cDn9d2QKnqEtmwIqNc7COKIYJjQDQke35GCBBtEtw4ZvG0b0/6N8:J97A9itGojQ0FCtdZ+0bHNUt
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-148-0x00000000022A0000-0x00000000022BD000-memory.dmp family_rhadamanthys behavioral2/memory/2252-153-0x00000000022A0000-0x00000000022BD000-memory.dmp family_rhadamanthys -
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4864-142-0x0000000000610000-0x000000000061D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 2372 created 2436 2372 file.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 2372 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2372 set thread context of 4864 2372 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 424 2372 WerFault.exe file.exe 3784 2372 WerFault.exe file.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
file.exepid process 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe 2372 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 2252 fontview.exe Token: SeCreatePagefilePrivilege 2252 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 2372 wrote to memory of 4864 2372 file.exe ngentask.exe PID 2372 wrote to memory of 4864 2372 file.exe ngentask.exe PID 2372 wrote to memory of 4864 2372 file.exe ngentask.exe PID 2372 wrote to memory of 4864 2372 file.exe ngentask.exe PID 2372 wrote to memory of 4864 2372 file.exe ngentask.exe PID 2372 wrote to memory of 2252 2372 file.exe fontview.exe PID 2372 wrote to memory of 2252 2372 file.exe fontview.exe PID 2372 wrote to memory of 2252 2372 file.exe fontview.exe PID 2372 wrote to memory of 2252 2372 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 12682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2372 -ip 23721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240579250.dllFilesize
335KB
MD57f179879ed169f8d23cc45eb8b614223
SHA1f9eca73b9ce26c80c5f2ea52c9927233550e0bba
SHA2560bf6b31919f7896b2945415957fe61040e1f17bb9b0482c01ee3c12d598feb94
SHA51242a4ce55bc08d1621b732368c9a7be3f65deb0675894ca546189b86b954bef8e45824eabaad32c9e2c48ca1deeae1c6d294c7118d38ecc26f2dee22d11fdd458
-
memory/2252-148-0x00000000022A0000-0x00000000022BD000-memory.dmpFilesize
116KB
-
memory/2252-153-0x00000000022A0000-0x00000000022BD000-memory.dmpFilesize
116KB
-
memory/2252-144-0x0000000000500000-0x0000000000535000-memory.dmpFilesize
212KB
-
memory/2252-146-0x0000000000500000-0x0000000000535000-memory.dmpFilesize
212KB
-
memory/2252-145-0x0000000000000000-mapping.dmp
-
memory/2252-147-0x0000000000883000-0x0000000000886000-memory.dmpFilesize
12KB
-
memory/2252-149-0x00000000028A0000-0x00000000038A0000-memory.dmpFilesize
16.0MB
-
memory/2252-152-0x0000000000500000-0x0000000000535000-memory.dmpFilesize
212KB
-
memory/2372-132-0x00000000029B0000-0x0000000002B3C000-memory.dmpFilesize
1.5MB
-
memory/2372-133-0x000000000F320000-0x000000000F64E000-memory.dmpFilesize
3.2MB
-
memory/2372-151-0x000000000F320000-0x000000000F64E000-memory.dmpFilesize
3.2MB
-
memory/2372-150-0x00000000029B0000-0x0000000002B3C000-memory.dmpFilesize
1.5MB
-
memory/2372-134-0x000000000F320000-0x000000000F64E000-memory.dmpFilesize
3.2MB
-
memory/2372-154-0x00000000029B0000-0x0000000002B3C000-memory.dmpFilesize
1.5MB
-
memory/4864-140-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4864-135-0x0000000000000000-mapping.dmp
-
memory/4864-138-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4864-136-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4864-142-0x0000000000610000-0x000000000061D000-memory.dmpFilesize
52KB
-
memory/4864-141-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/4864-139-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB