Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2023, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe
Resource
win10v2004-20230221-en
General
-
Target
7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe
-
Size
351KB
-
MD5
078c0fbc4b1994d09144646f158f3467
-
SHA1
b57027461040bc08e1e8d0f580cc1f9511027049
-
SHA256
7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305
-
SHA512
55fea4f83f0c4f4718a8686ec61b9337272cf7afcd9246da31166dd89a0f729be0a3d798689776d3cad97486bc6d1f4322a5e1663f0b307dc216c37c71f62f67
-
SSDEEP
3072:OWC7ygb/zm4/QVsN0CDxgUsaQNcXBdZDaIJLbu2rUtIfW7bzqr/5nq/i72Sv6dN:hYxmM6sNBbsaVJsAJmzqdx7Ti
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/1192-151-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/1192-152-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/1192-154-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/1192-161-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1192 947.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4916 1192 WerFault.exe 91 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3980 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe 3980 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3144 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3980 7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3144 wrote to memory of 1192 3144 Process not Found 91 PID 3144 wrote to memory of 1192 3144 Process not Found 91 PID 3144 wrote to memory of 1192 3144 Process not Found 91 PID 1192 wrote to memory of 1992 1192 947.exe 92 PID 1192 wrote to memory of 1992 1192 947.exe 92 PID 1192 wrote to memory of 1992 1192 947.exe 92 PID 1192 wrote to memory of 1992 1192 947.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe"C:\Users\Admin\AppData\Local\Temp\7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3980
-
C:\Users\Admin\AppData\Local\Temp\947.exeC:\Users\Admin\AppData\Local\Temp\947.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:1992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 7282⤵
- Program crash
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1192 -ip 11921⤵PID:4656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5120c493eeda8a8931652a907a54ff802
SHA10b32770a174a9818a22b9814d1216543db333e94
SHA2566b0376a00944cceb5ae6d7810efa856d4ab7679c921d4838111fba01a8a2d589
SHA512e7ca9dd482b0221031155e47a4bec4a2990222fa11284b50b1d6d6db26c1bc60000cb801dcd1036d28a0f3fb15819bf75a0042834901e76e1663435e0fe009e1
-
Filesize
423KB
MD5120c493eeda8a8931652a907a54ff802
SHA10b32770a174a9818a22b9814d1216543db333e94
SHA2566b0376a00944cceb5ae6d7810efa856d4ab7679c921d4838111fba01a8a2d589
SHA512e7ca9dd482b0221031155e47a4bec4a2990222fa11284b50b1d6d6db26c1bc60000cb801dcd1036d28a0f3fb15819bf75a0042834901e76e1663435e0fe009e1