Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 18:46
Static task
static1
Behavioral task
behavioral1
Sample
b002e90f98f6643ade82b4d657b920bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b002e90f98f6643ade82b4d657b920bc.exe
Resource
win10v2004-20220812-en
General
-
Target
b002e90f98f6643ade82b4d657b920bc.exe
-
Size
1.6MB
-
MD5
b002e90f98f6643ade82b4d657b920bc
-
SHA1
2c56bae21ca4cc1d16c58a7f53add0a8ac54fa57
-
SHA256
8a1197f828988b534acf6542b5ee75239c35fc94aeeee293e45d1d01d512b29d
-
SHA512
c0870f71a2d237f90a0bbf982fb69bae82391efb1bb0806af557a406d1d23ec7838e52ab4c8d8144feeec24cd827e78e1506310eab2b1fc831aef17f8cefa87c
-
SSDEEP
24576:+7hfMeJ3ruTTdFkaasfMLAjJvrypuvGPp+2dhvj8OjzEJjug8q6x5h5T7U9NKLTj:YhfMeVrulF3LCJue5z8OjIJJi
Malware Config
Extracted
raccoon
eb3a206cd939601b2a6d00ea009a6d7e
http://195.123.241.57/
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-149-0x0000000002D10000-0x0000000002D2D000-memory.dmp family_rhadamanthys behavioral2/memory/3280-150-0x0000000003230000-0x0000000004230000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
b002e90f98f6643ade82b4d657b920bc.exedescription pid process target process PID 4588 created 2944 4588 b002e90f98f6643ade82b4d657b920bc.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
b002e90f98f6643ade82b4d657b920bc.exepid process 4588 b002e90f98f6643ade82b4d657b920bc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 3280 fontview.exe 3280 fontview.exe 3280 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b002e90f98f6643ade82b4d657b920bc.exedescription pid process target process PID 4588 set thread context of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3144 4588 WerFault.exe b002e90f98f6643ade82b4d657b920bc.exe 2340 4588 WerFault.exe b002e90f98f6643ade82b4d657b920bc.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
b002e90f98f6643ade82b4d657b920bc.exepid process 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe 4588 b002e90f98f6643ade82b4d657b920bc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 3280 fontview.exe Token: SeCreatePagefilePrivilege 3280 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b002e90f98f6643ade82b4d657b920bc.exedescription pid process target process PID 4588 wrote to memory of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe PID 4588 wrote to memory of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe PID 4588 wrote to memory of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe PID 4588 wrote to memory of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe PID 4588 wrote to memory of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe PID 4588 wrote to memory of 3280 4588 b002e90f98f6643ade82b4d657b920bc.exe fontview.exe PID 4588 wrote to memory of 3280 4588 b002e90f98f6643ade82b4d657b920bc.exe fontview.exe PID 4588 wrote to memory of 3280 4588 b002e90f98f6643ade82b4d657b920bc.exe fontview.exe PID 4588 wrote to memory of 3280 4588 b002e90f98f6643ade82b4d657b920bc.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b002e90f98f6643ade82b4d657b920bc.exe"C:\Users\Admin\AppData\Local\Temp\b002e90f98f6643ade82b4d657b920bc.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 5802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 5722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 45881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4588 -ip 45881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240681218.dllFilesize
335KB
MD5f56b1b3fe0c50c6ed0fad54627df7a9a
SHA105742c9ad28475c7afdd3d6a63dd9200fc0b9f72
SHA256e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b
SHA512fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9
-
memory/3280-149-0x0000000002D10000-0x0000000002D2D000-memory.dmpFilesize
116KB
-
memory/3280-146-0x0000000000F70000-0x0000000000FA5000-memory.dmpFilesize
212KB
-
memory/3280-143-0x0000000000F70000-0x0000000000FA5000-memory.dmpFilesize
212KB
-
memory/3280-144-0x0000000000000000-mapping.dmp
-
memory/3280-152-0x0000000000F70000-0x0000000000FA5000-memory.dmpFilesize
212KB
-
memory/3280-150-0x0000000003230000-0x0000000004230000-memory.dmpFilesize
16.0MB
-
memory/3280-148-0x00000000013D5000-0x00000000013D7000-memory.dmpFilesize
8KB
-
memory/3280-147-0x00000000013D4000-0x00000000013D7000-memory.dmpFilesize
12KB
-
memory/4324-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4324-145-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4324-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4324-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4324-136-0x0000000000000000-mapping.dmp
-
memory/4588-153-0x0000000002DD0000-0x0000000002F25000-memory.dmpFilesize
1.3MB
-
memory/4588-135-0x000000000E410000-0x000000000E531000-memory.dmpFilesize
1.1MB
-
memory/4588-133-0x0000000002DD0000-0x0000000002F25000-memory.dmpFilesize
1.3MB
-
memory/4588-132-0x0000000002DD0000-0x0000000002F25000-memory.dmpFilesize
1.3MB
-
memory/4588-134-0x000000000E410000-0x000000000E531000-memory.dmpFilesize
1.1MB
-
memory/4588-151-0x000000000E410000-0x000000000E531000-memory.dmpFilesize
1.1MB