Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2023 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.0MB

  • MD5

    083b5ff18230518a7726e0701b6cb24e

  • SHA1

    4f20797af1ac735c735a10f57bf5e643c5418265

  • SHA256

    4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d

  • SHA512

    62c3da115e2628b45fa2afb8f5f9f15503db1d0c41a35aac18a4c7c1128e8d2b8aea0c386d20c08b9bfe55ca5791365fd4e84a3029a68396061156fbb7952dd7

  • SSDEEP

    24576:Jj9GViAmhHq2cDn9d2QKnqEtmwIqNc7COKIYJjQDQke35GCBBtEtw4ZvG0b0/6N8:J97A9itGojQ0FCtdZ+0bHNUt

Score
10/10
lgoogloaderrhadamanthysdownloaderstealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 2 IoCs
  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2436
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:4864
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1268
          2⤵
          • Program crash
          PID:424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 528
          2⤵
          • Program crash
          PID:3784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2372 -ip 2372
        1⤵
          PID:3560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2372 -ip 2372
          1⤵
            PID:5088

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\240579250.dll
            Filesize

            335KB

            MD5

            7f179879ed169f8d23cc45eb8b614223

            SHA1

            f9eca73b9ce26c80c5f2ea52c9927233550e0bba

            SHA256

            0bf6b31919f7896b2945415957fe61040e1f17bb9b0482c01ee3c12d598feb94

            SHA512

            42a4ce55bc08d1621b732368c9a7be3f65deb0675894ca546189b86b954bef8e45824eabaad32c9e2c48ca1deeae1c6d294c7118d38ecc26f2dee22d11fdd458

            Download Submit
          • memory/2252-148-0x00000000022A0000-0x00000000022BD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/2252-153-0x00000000022A0000-0x00000000022BD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/2252-144-0x0000000000500000-0x0000000000535000-memory.dmp
            Filesize

            212KB

            Download
          • memory/2252-146-0x0000000000500000-0x0000000000535000-memory.dmp
            Filesize

            212KB

            Download
          • memory/2252-145-0x0000000000000000-mapping.dmp
            Download
          • memory/2252-147-0x0000000000883000-0x0000000000886000-memory.dmp
            Filesize

            12KB

            Download
          • memory/2252-149-0x00000000028A0000-0x00000000038A0000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/2252-152-0x0000000000500000-0x0000000000535000-memory.dmp
            Filesize

            212KB

            Download
          • memory/2372-132-0x00000000029B0000-0x0000000002B3C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/2372-133-0x000000000F320000-0x000000000F64E000-memory.dmp
            Filesize

            3.2MB

            Download
          • memory/2372-151-0x000000000F320000-0x000000000F64E000-memory.dmp
            Filesize

            3.2MB

            Download
          • memory/2372-150-0x00000000029B0000-0x0000000002B3C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/2372-134-0x000000000F320000-0x000000000F64E000-memory.dmp
            Filesize

            3.2MB

            Download
          • memory/2372-154-0x00000000029B0000-0x0000000002B3C000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/4864-140-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4864-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4864-138-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4864-136-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4864-142-0x0000000000610000-0x000000000061D000-memory.dmp
            Filesize

            52KB

            Download
          • memory/4864-141-0x00000000005F0000-0x00000000005F9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4864-139-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download