Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2023 08:38
Static task
static1
Behavioral task
behavioral1
Sample
036d8f6b86325c18fa71a7d922ec6ff3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
036d8f6b86325c18fa71a7d922ec6ff3.exe
Resource
win10v2004-20221111-en
General
-
Target
036d8f6b86325c18fa71a7d922ec6ff3.exe
-
Size
7KB
-
MD5
036d8f6b86325c18fa71a7d922ec6ff3
-
SHA1
f73f4a8fd8a4f5a2c66fc425d571b3b1219cb5e9
-
SHA256
9905e86ec9acd294a2ffb88a79b598a8029ee6ff07d794411885ab102bbd647f
-
SHA512
56da1be33c24ba20400aefc8127f75fcc139ef418868472c5fa195bae67a1009158c60160ecdfe0117544746a3be2319d0b79ce3be5a15e7ebd39b8ba2c02795
-
SSDEEP
96:S5urVm8uw0GSYU6RYHKcFPtboynuYUL8PCtbOoX:42Vm8yPkIP1oynfUL8ebJ
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3392-142-0x0000000002990000-0x00000000029AC000-memory.dmp family_rhadamanthys behavioral2/memory/3392-143-0x0000000002BF0000-0x0000000003BF0000-memory.dmp family_rhadamanthys behavioral2/memory/3392-145-0x0000000002990000-0x00000000029AC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Processes:
sysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
1637826837.exesysagrsv.exe2599729860.exepid process 3220 1637826837.exe 2068 sysagrsv.exe 3392 2599729860.exe -
Processes:
sysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1637826837.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe" 1637826837.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
2599729860.exepid process 3392 2599729860.exe 3392 2599729860.exe 3392 2599729860.exe -
Drops file in Windows directory 2 IoCs
Processes:
1637826837.exedescription ioc process File opened for modification C:\Windows\sysagrsv.exe 1637826837.exe File created C:\Windows\sysagrsv.exe 1637826837.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2599729860.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 2599729860.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID 2599729860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2599729860.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2599729860.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2599729860.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2599729860.exedescription pid process Token: SeShutdownPrivilege 3392 2599729860.exe Token: SeCreatePagefilePrivilege 3392 2599729860.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
036d8f6b86325c18fa71a7d922ec6ff3.exe1637826837.exesysagrsv.exedescription pid process target process PID 3936 wrote to memory of 3220 3936 036d8f6b86325c18fa71a7d922ec6ff3.exe 1637826837.exe PID 3936 wrote to memory of 3220 3936 036d8f6b86325c18fa71a7d922ec6ff3.exe 1637826837.exe PID 3936 wrote to memory of 3220 3936 036d8f6b86325c18fa71a7d922ec6ff3.exe 1637826837.exe PID 3220 wrote to memory of 2068 3220 1637826837.exe sysagrsv.exe PID 3220 wrote to memory of 2068 3220 1637826837.exe sysagrsv.exe PID 3220 wrote to memory of 2068 3220 1637826837.exe sysagrsv.exe PID 2068 wrote to memory of 3392 2068 sysagrsv.exe 2599729860.exe PID 2068 wrote to memory of 3392 2068 sysagrsv.exe 2599729860.exe PID 2068 wrote to memory of 3392 2068 sysagrsv.exe 2599729860.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\036d8f6b86325c18fa71a7d922ec6ff3.exe"C:\Users\Admin\AppData\Local\Temp\036d8f6b86325c18fa71a7d922ec6ff3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\1637826837.exeC:\Users\Admin\AppData\Local\Temp\1637826837.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\sysagrsv.exeC:\Windows\sysagrsv.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\2599729860.exeC:\Users\Admin\AppData\Local\Temp\2599729860.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1637826837.exeFilesize
75KB
MD517eb719f9e19aefae9114aa922681e7f
SHA1a2165a6d3ff4dee62215bd489bbcc0aaa498e70a
SHA256e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70
SHA51277e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de
-
C:\Users\Admin\AppData\Local\Temp\1637826837.exeFilesize
75KB
MD517eb719f9e19aefae9114aa922681e7f
SHA1a2165a6d3ff4dee62215bd489bbcc0aaa498e70a
SHA256e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70
SHA51277e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de
-
C:\Users\Admin\AppData\Local\Temp\2599729860.exeFilesize
179KB
MD55397f9cb7507b8a6e20bae247451c673
SHA14a3081cf46149f5d337908dc0390ae2a97144a74
SHA256aa87563289327498a603f4103d7ce9b76fa008426c404c6f4afa087326651e81
SHA5120edb5c96bf77d0de7e75597c692cfa5764e7a85bd1dbda16ed9334139fd79711ca58df4644f0075947586357392ac9b8087f9058121e7a6e522390e3d7f9478d
-
C:\Users\Admin\AppData\Local\Temp\2599729860.exeFilesize
179KB
MD55397f9cb7507b8a6e20bae247451c673
SHA14a3081cf46149f5d337908dc0390ae2a97144a74
SHA256aa87563289327498a603f4103d7ce9b76fa008426c404c6f4afa087326651e81
SHA5120edb5c96bf77d0de7e75597c692cfa5764e7a85bd1dbda16ed9334139fd79711ca58df4644f0075947586357392ac9b8087f9058121e7a6e522390e3d7f9478d
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD517eb719f9e19aefae9114aa922681e7f
SHA1a2165a6d3ff4dee62215bd489bbcc0aaa498e70a
SHA256e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70
SHA51277e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD517eb719f9e19aefae9114aa922681e7f
SHA1a2165a6d3ff4dee62215bd489bbcc0aaa498e70a
SHA256e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70
SHA51277e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de
-
memory/2068-135-0x0000000000000000-mapping.dmp
-
memory/3220-132-0x0000000000000000-mapping.dmp
-
memory/3392-138-0x0000000000000000-mapping.dmp
-
memory/3392-141-0x0000000000EA1000-0x0000000000EBB000-memory.dmpFilesize
104KB
-
memory/3392-142-0x0000000002990000-0x00000000029AC000-memory.dmpFilesize
112KB
-
memory/3392-143-0x0000000002BF0000-0x0000000003BF0000-memory.dmpFilesize
16.0MB
-
memory/3392-144-0x0000000000EA1000-0x0000000000EBB000-memory.dmpFilesize
104KB
-
memory/3392-145-0x0000000002990000-0x00000000029AC000-memory.dmpFilesize
112KB