Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 12:39
Static task
static1
Behavioral task
behavioral1
Sample
e56cbf4cd824b44a3917c63d492c768e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e56cbf4cd824b44a3917c63d492c768e.exe
Resource
win10v2004-20230220-en
General
-
Target
e56cbf4cd824b44a3917c63d492c768e.exe
-
Size
315KB
-
MD5
e56cbf4cd824b44a3917c63d492c768e
-
SHA1
f29b7e77d3a5f72f9be167b6f80f002a202d181d
-
SHA256
996ae2564d05f89a89a93ea723c94e3ea978386acdc085fe6c2e49252625c3be
-
SHA512
5f2ef29f17b1bd124587fc8873a9f56714db893832b3ea202da548210419fa50625da154d72993f405bd04d10ce8d407da5ee78a43f6654d4fb21b1d42e7e226
-
SSDEEP
6144:BPPVsutvu1Umc9W9zLsB3jgW+/v8LNa10+6RuZtkjt:BnVsuNu1Bc9Y3cTB+/v8ha1xSuGt
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral2/memory/2480-138-0x00000000025A0000-0x00000000025BC000-memory.dmp family_rhadamanthys behavioral2/memory/2480-140-0x00000000025A0000-0x00000000025BC000-memory.dmp family_rhadamanthys behavioral2/memory/2480-143-0x00000000025A0000-0x00000000025BC000-memory.dmp family_rhadamanthys behavioral2/memory/2480-149-0x00000000025A0000-0x00000000025BC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2480 e56cbf4cd824b44a3917c63d492c768e.exe 2480 e56cbf4cd824b44a3917c63d492c768e.exe 2480 e56cbf4cd824b44a3917c63d492c768e.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2352 2480 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2480 e56cbf4cd824b44a3917c63d492c768e.exe 2480 e56cbf4cd824b44a3917c63d492c768e.exe 4556 dllhost.exe 4556 dllhost.exe 4556 dllhost.exe 4556 dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2480 wrote to memory of 4556 2480 e56cbf4cd824b44a3917c63d492c768e.exe 87 PID 2480 wrote to memory of 4556 2480 e56cbf4cd824b44a3917c63d492c768e.exe 87 PID 2480 wrote to memory of 4556 2480 e56cbf4cd824b44a3917c63d492c768e.exe 87 PID 2480 wrote to memory of 4556 2480 e56cbf4cd824b44a3917c63d492c768e.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e56cbf4cd824b44a3917c63d492c768e.exe"C:\Users\Admin\AppData\Local\Temp\e56cbf4cd824b44a3917c63d492c768e.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 7002⤵
- Program crash
PID:2352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2480 -ip 24801⤵PID:5092