Analysis
-
max time kernel
53s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 16:31
Static task
static1
Behavioral task
behavioral1
Sample
688774feec1cc9685acaece804dc7a26.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
688774feec1cc9685acaece804dc7a26.exe
Resource
win10v2004-20230220-en
General
-
Target
688774feec1cc9685acaece804dc7a26.exe
-
Size
2.8MB
-
MD5
688774feec1cc9685acaece804dc7a26
-
SHA1
68afac92caeb49c2bb96970138738844aa7b8f99
-
SHA256
a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
-
SHA512
68467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
-
SSDEEP
24576:oafQKgqtAyrUFdRZTbwcXE1Rw2qs9kpu2ny/v/LtGZsYjot0+iEzyLU/E5h8bV2:oNwcXFoaU/E5h8bKlsyKqiB8tFg
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/564-74-0x0000000000140000-0x000000000015C000-memory.dmp family_rhadamanthys behavioral1/memory/564-76-0x0000000000140000-0x000000000015C000-memory.dmp family_rhadamanthys behavioral1/memory/564-78-0x0000000000140000-0x000000000015C000-memory.dmp family_rhadamanthys behavioral1/memory/564-80-0x0000000000140000-0x000000000015C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
688774feec1cc9685acaece804dc7a26.exepid process 564 688774feec1cc9685acaece804dc7a26.exe 564 688774feec1cc9685acaece804dc7a26.exe 564 688774feec1cc9685acaece804dc7a26.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
688774feec1cc9685acaece804dc7a26.exedescription pid process target process PID 2032 set thread context of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe688774feec1cc9685acaece804dc7a26.exe688774feec1cc9685acaece804dc7a26.exepid process 920 powershell.exe 2032 688774feec1cc9685acaece804dc7a26.exe 564 688774feec1cc9685acaece804dc7a26.exe 564 688774feec1cc9685acaece804dc7a26.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe688774feec1cc9685acaece804dc7a26.exedescription pid process Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 2032 688774feec1cc9685acaece804dc7a26.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
688774feec1cc9685acaece804dc7a26.exe688774feec1cc9685acaece804dc7a26.exedescription pid process target process PID 2032 wrote to memory of 920 2032 688774feec1cc9685acaece804dc7a26.exe powershell.exe PID 2032 wrote to memory of 920 2032 688774feec1cc9685acaece804dc7a26.exe powershell.exe PID 2032 wrote to memory of 920 2032 688774feec1cc9685acaece804dc7a26.exe powershell.exe PID 2032 wrote to memory of 920 2032 688774feec1cc9685acaece804dc7a26.exe powershell.exe PID 2032 wrote to memory of 928 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 928 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 928 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 928 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 2032 wrote to memory of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe PID 564 wrote to memory of 1436 564 688774feec1cc9685acaece804dc7a26.exe dllhost.exe PID 564 wrote to memory of 1436 564 688774feec1cc9685acaece804dc7a26.exe dllhost.exe PID 564 wrote to memory of 1436 564 688774feec1cc9685acaece804dc7a26.exe dllhost.exe PID 564 wrote to memory of 1436 564 688774feec1cc9685acaece804dc7a26.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe"C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exeC:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exeC:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-73-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-74-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/564-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/564-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-79-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-78-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/564-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-68-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-80-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/564-76-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/564-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-70-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-71-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/564-75-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/920-60-0x0000000002760000-0x00000000027A0000-memory.dmpFilesize
256KB
-
memory/2032-55-0x0000000004D20000-0x0000000004E6A000-memory.dmpFilesize
1.3MB
-
memory/2032-54-0x00000000011C0000-0x000000000148A000-memory.dmpFilesize
2.8MB
-
memory/2032-56-0x0000000000C10000-0x0000000000CA2000-memory.dmpFilesize
584KB
-
memory/2032-61-0x0000000004CE0000-0x0000000004D20000-memory.dmpFilesize
256KB
-
memory/2032-57-0x0000000004CE0000-0x0000000004D20000-memory.dmpFilesize
256KB