Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2023, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe
Resource
win10v2004-20230220-en
General
-
Target
86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe
-
Size
246KB
-
MD5
b239207d0838d757ff824c5cc6ddbf56
-
SHA1
c82e5841d586364b4a5adc539df76967042c7aec
-
SHA256
86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9
-
SHA512
fea2c54107f53aba33804a6b52b645390e414704772a270c0b84d1a0a17855c5b7347adafcd2494fa5c1ea46c30ba7e005b9f9008a7a1270f92cf827249142c3
-
SSDEEP
6144:HwWXyGlrmKGeji4bdW38JbTIoHJCG7nMq/hjK2j:HwaLlrmKGr4b+UckJCYt/hjVj
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
resource yara_rule behavioral1/memory/4768-136-0x0000000002110000-0x000000000212D000-memory.dmp family_rhadamanthys behavioral1/memory/4768-139-0x0000000002110000-0x000000000212D000-memory.dmp family_rhadamanthys behavioral1/memory/4768-148-0x0000000002110000-0x000000000212D000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 33 4740 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4740 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4724 4768 WerFault.exe 79 3912 4740 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4740 4768 86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe 82 PID 4768 wrote to memory of 4740 4768 86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe"C:\Users\Admin\AppData\Local\Temp\86e71fbd66e00b1c1780e28fbde092a78709b9da68a8eb2bbd4b86af446a3bb9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\nsis_unse567053.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DD|AHoAYwBqAHC6PQBBQQJTAEw7ADT8FwAtAVlIg+wo6P8EAgAASIPEKP|DzMzMTIlEJP8YSIlUJBBIifdMJAhdAUiLRCTfMEiJBCSBAThIfm8ACEjHRCQQLQH76w6BARBIg8ABuo8BEIEBQEg5lgBz|SWfA4sMJEgDyL9Ii8FIi0yrAVT+ewAD0UiLyooJ74gI68FmBWVIi|cEJWDz8DPJSIv|UBhIO9F0Nkj|g8IgSIsCSDv|wnQqZoN4SBj|dRpMi0BQZkHfgzhrdAcREUt1|QgREHgQLnQFSH+LAOvVSItI|QD9wWoAQFNVVldBf1RBVUFWQVddAf9mgTlNWk2L+P9Mi|JIi9kPhf388|BMY0k8QYH|PAlQRQAAD4V96vPwQYuECYjz8P+FwEiNPAEPhL3WahGDvAmMLQEP+4TH8|BEi2cgRP+LXxyLdyREi|9PGEwD4UwD2f9IA|EzyUWFyfcPhKTz8E2LxEH|ixBFM9JIA9P|igKEwHQdQcHfyg0PvsD6AAFE+wPQvxF17EGB+v+q|A18dA6Dwf8BSYPABEE7yf9zaevGi8EPt|8MTkWLLItMA9|rdFgz7aoQdFH3QYsUwQDTM8mK|wJMi8LrD8HJ9sgRA8jlEAFBigD+1RDtM8Az9kE78wy24BCmAIPGAYP|+Ahy7usKSIv|y0H|1UmJBPf7g8XkEMQEO28Y+3KvZgFBX0FeQX9dQVxfXl1bMxffSIHsYAFkAIvp|+hm|v||SIXAtw+EmHUgTI2vAYu+KxDIM||om30gjf9fBEyNRUYz0r+Ly|9UJGiAIExfi+APhGt1IEWoEO8zwIvTkSBIiXzrJCCmIHCAIEiL8OcPhEt1IKYgUEiN|1YIRI1HQEiN+4wkhRFIi9jofF39fiCNVkjeIBDiIe3M8|DoZ+8gRIsGp41XCEEgpiBYyiGJ14QkgIcS3vPwiw4e2iBYiYwkcREHMJEg2+gx7yCLnC0yTIt|XTpIg|tsSIog|zBMiWQkOEyL3aQaMkyJXIQBhCRt3IcRhpKNEY1HSzD3jCTw8|BJi9To2+n8BTCKnHgySI39hHgyQYDzIY1P72xEMBikAoPpAe9184G8eDIhUmV|eHVNi4Qk9CIx95Qk+DUBwkg72P9yOIP6bHYzRPeNSUD6AJRBuAD0mACmIEDKIvh0GUR8tjDAMUmNVCRskSC|SYPobOhrgjBI+4vOpiB4SIX|dJ8Si1VCTI4wGzFI|41MJED|10iBAcR0IWEkLQgtAQ==2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4740 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4740 -s 5243⤵
- Program crash
PID:3912
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 6962⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4768 -ip 47681⤵PID:4760
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 4740 -ip 47401⤵PID:2416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1
-
Filesize
49KB
MD5832890fded186835970d1d3302590138
SHA15385703e9dcde43e60928b2e9c941b7232468a6a
SHA256438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576
SHA5125cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1