Analysis Overview
SHA256
306839eeb37080b5d6e7d32ab0b261995877e9d143e91d1d1e06cdf636bcea28
Threat Level: Known bad
The file SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
SmokeLoader
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Executes dropped EXE
Accesses Microsoft Outlook profiles
Program crash
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
outlook_win_path
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-15 03:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-15 03:27
Reported
2023-04-15 03:29
Platform
win7-20230220-en
Max time kernel
150s
Max time network
33s
Command Line
Signatures
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"
Network
Files
memory/1364-55-0x00000000002A0000-0x00000000002A9000-memory.dmp
memory/1364-57-0x0000000000400000-0x00000000007FC000-memory.dmp
memory/1232-56-0x0000000001C50000-0x0000000001C66000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-15 03:27
Reported
2023-04-15 03:29
Platform
win10v2004-20230221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2EEF.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3128 wrote to memory of 2536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe |
| PID 3128 wrote to memory of 2536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe |
| PID 3128 wrote to memory of 2536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe |
| PID 2536 wrote to memory of 4696 | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe | C:\Windows\system32\dllhost.exe |
| PID 2536 wrote to memory of 4696 | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe | C:\Windows\system32\dllhost.exe |
| PID 2536 wrote to memory of 4696 | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe | C:\Windows\system32\dllhost.exe |
| PID 2536 wrote to memory of 4696 | N/A | C:\Users\Admin\AppData\Local\Temp\2EEF.exe | C:\Windows\system32\dllhost.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"
C:\Users\Admin\AppData\Local\Temp\2EEF.exe
C:\Users\Admin\AppData\Local\Temp\2EEF.exe
C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2536 -ip 2536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 696
Network
| Country | Destination | Domain | Proto |
| US | 117.18.232.240:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 111.84.119.211.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 52.182.143.208:443 | tcp | |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| IT | 179.43.155.247:80 | 179.43.155.247 | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 247.155.43.179.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | catalog.s.download.windowsupdate.com | tcp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 201.142.43.179.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | 179.43.142.201 | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
| KR | 211.119.84.111:80 | aapu.at | tcp |
Files
memory/1456-134-0x0000000000950000-0x0000000000959000-memory.dmp
memory/3128-135-0x0000000000430000-0x0000000000446000-memory.dmp
memory/1456-136-0x0000000000400000-0x00000000007FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2EEF.exe
| MD5 | 125d1cf1adccdd7c0e0058f02d7dcfc4 |
| SHA1 | 31ae25eb8cc617c94335773eb0261614554d9e19 |
| SHA256 | a499e4d7f71cb83c442b02f45dc986a42c6fef18ffc0efb9a54287671e063cc2 |
| SHA512 | e9e0b496e8ae722c58952dae5dc3f0942b1b87f2792741c05106792ae9249a44b6689560cf1e8cb87bb32ac26a375aa6f249643c0093e4d205ddd733da02d601 |
C:\Users\Admin\AppData\Local\Temp\2EEF.exe
| MD5 | 125d1cf1adccdd7c0e0058f02d7dcfc4 |
| SHA1 | 31ae25eb8cc617c94335773eb0261614554d9e19 |
| SHA256 | a499e4d7f71cb83c442b02f45dc986a42c6fef18ffc0efb9a54287671e063cc2 |
| SHA512 | e9e0b496e8ae722c58952dae5dc3f0942b1b87f2792741c05106792ae9249a44b6689560cf1e8cb87bb32ac26a375aa6f249643c0093e4d205ddd733da02d601 |
memory/2536-147-0x0000000000960000-0x000000000098E000-memory.dmp
memory/2536-148-0x0000000000400000-0x000000000080F000-memory.dmp
memory/2536-151-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/2536-152-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/2536-153-0x00000000009B0000-0x00000000009CA000-memory.dmp
memory/2536-154-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/4696-155-0x0000013EEED10000-0x0000013EEED11000-memory.dmp
memory/2536-156-0x00000000009B0000-0x00000000009CA000-memory.dmp
memory/4696-157-0x0000013EEF020000-0x0000013EEF027000-memory.dmp
memory/4696-158-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp
memory/4696-159-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp
memory/4696-161-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp
memory/2536-162-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/2536-160-0x0000000000400000-0x000000000080F000-memory.dmp
memory/4696-163-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp
memory/4696-164-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp
memory/4696-165-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp