Analysis Overview
SHA256
a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426
Threat Level: Known bad
The file a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
SmokeLoader
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Executes dropped EXE
Accesses Microsoft Outlook profiles
Program crash
outlook_win_path
Checks SCSI registry key(s)
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-15 04:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-15 04:25
Reported
2023-04-15 04:27
Platform
win10v2004-20230221-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2049.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3244 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe |
| PID 3244 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe |
| PID 3244 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe |
| PID 832 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe | C:\Windows\system32\dllhost.exe |
| PID 832 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe | C:\Windows\system32\dllhost.exe |
| PID 832 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe | C:\Windows\system32\dllhost.exe |
| PID 832 wrote to memory of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\2049.exe | C:\Windows\system32\dllhost.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe
"C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe"
C:\Users\Admin\AppData\Local\Temp\2049.exe
C:\Users\Admin\AppData\Local\Temp\2049.exe
C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 832 -ip 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 732
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 124.49.236.222.in-addr.arpa | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 52.152.110.14:443 | tcp | |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| NL | 8.238.178.254:80 | tcp | |
| NL | 8.238.178.254:80 | tcp | |
| IT | 179.43.155.247:80 | 179.43.155.247 | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 247.155.43.179.in-addr.arpa | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| NL | 8.238.178.254:80 | tcp | |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | catalog.s.download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 201.142.43.179.in-addr.arpa | udp |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| US | 52.152.110.14:443 | tcp | |
| NL | 104.85.1.163:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| KR | 222.236.49.124:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | 179.43.142.201 | tcp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/4356-134-0x0000000000A50000-0x0000000000A59000-memory.dmp
memory/3244-135-0x0000000002BD0000-0x0000000002BE6000-memory.dmp
memory/4356-136-0x0000000000400000-0x00000000007FD000-memory.dmp
memory/3244-142-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-143-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-144-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-145-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-146-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-147-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-148-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-149-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-150-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-151-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-152-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-153-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-154-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-155-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-156-0x0000000002C10000-0x0000000002C20000-memory.dmp
memory/3244-158-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-157-0x0000000002C00000-0x0000000002C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2049.exe
| MD5 | cb2ba6d4940dc8abede20595ac94b3ea |
| SHA1 | dbbc0e0723d92f12dce9a724624c36b40c545f0d |
| SHA256 | cbcfd42a6ec669bf0f770a837ea751aa342b21256c6186e19d9931d47ca1ffef |
| SHA512 | 02702f91de518d5f318d01aba51faeac99bc4e94e7edf3dd978a55724eed24b12510c450860ef2b6610b648bbbc9741f97501814aa2861af44f80bf994a735b2 |
C:\Users\Admin\AppData\Local\Temp\2049.exe
| MD5 | cb2ba6d4940dc8abede20595ac94b3ea |
| SHA1 | dbbc0e0723d92f12dce9a724624c36b40c545f0d |
| SHA256 | cbcfd42a6ec669bf0f770a837ea751aa342b21256c6186e19d9931d47ca1ffef |
| SHA512 | 02702f91de518d5f318d01aba51faeac99bc4e94e7edf3dd978a55724eed24b12510c450860ef2b6610b648bbbc9741f97501814aa2861af44f80bf994a735b2 |
memory/3244-163-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-164-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-165-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-166-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-167-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-168-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-169-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-170-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-171-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-173-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-175-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-172-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-176-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-177-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-178-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-179-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/832-180-0x0000000000960000-0x000000000098E000-memory.dmp
memory/3244-181-0x0000000000960000-0x000000000098E000-memory.dmp
memory/832-182-0x0000000000400000-0x000000000080F000-memory.dmp
memory/3244-183-0x0000000000960000-0x000000000098E000-memory.dmp
memory/832-186-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/832-187-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/832-188-0x00000000009B0000-0x00000000009CA000-memory.dmp
memory/832-189-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/1756-190-0x00000139F02D0000-0x00000139F02D1000-memory.dmp
memory/832-191-0x00000000009B0000-0x00000000009CA000-memory.dmp
memory/1756-192-0x00000139F05E0000-0x00000139F05E7000-memory.dmp
memory/1756-193-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/1756-194-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/832-195-0x0000000000400000-0x000000000080F000-memory.dmp
memory/832-196-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/1756-197-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/1756-198-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/1756-199-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/1756-200-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/1756-201-0x00007FF48D900000-0x00007FF48D9FA000-memory.dmp
memory/3244-202-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-203-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-204-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-205-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-206-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-207-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-208-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-209-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-210-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-211-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-212-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-213-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-214-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-215-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-216-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-217-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-218-0x00000000079F0000-0x00000000079F2000-memory.dmp
memory/3244-219-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-220-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3244-235-0x0000000000D70000-0x0000000000D79000-memory.dmp
memory/3244-236-0x0000000000D70000-0x0000000000D79000-memory.dmp
memory/3244-237-0x0000000000D70000-0x0000000000D79000-memory.dmp
memory/3244-238-0x0000000000D70000-0x0000000000D79000-memory.dmp
memory/3244-239-0x0000000000D70000-0x0000000000D79000-memory.dmp
memory/3244-257-0x0000000001250000-0x0000000001253000-memory.dmp
memory/3244-256-0x0000000001240000-0x0000000001242000-memory.dmp