Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2023, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe
Resource
win10v2004-20230221-en
General
-
Target
888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe
-
Size
351KB
-
MD5
93fb71115e375a1c19ca65301b99c506
-
SHA1
1259a740733e883f326fbc7036eeac3a484b1a99
-
SHA256
888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06
-
SHA512
148e8a37ef2c9638dfb90529551a041280456f19d1041ada32838ce0598ab897b8f1c7302ac2c4080971123d13b8c39f528077d8ee07cdada8d87e5877d3f3e0
-
SSDEEP
3072:gBN5CK1YhPw+sIZexZiWmAcSYo2Nr07mza1eZ+P5Vq6shnq7nsOrfB5cF65l+OV9:kNKh4zIIaWAiK0zq6shqDhI4we4
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
resource yara_rule behavioral1/memory/4088-151-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/4088-152-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/4088-154-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/4088-156-0x00000000008E0000-0x00000000008FA000-memory.dmp family_rhadamanthys behavioral1/memory/4088-161-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4088 ED72.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 460 4088 WerFault.exe 90 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe 1916 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found 3156 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3156 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1916 888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3156 Process not Found Token: SeCreatePagefilePrivilege 3156 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3156 wrote to memory of 4088 3156 Process not Found 90 PID 3156 wrote to memory of 4088 3156 Process not Found 90 PID 3156 wrote to memory of 4088 3156 Process not Found 90 PID 4088 wrote to memory of 2616 4088 ED72.exe 91 PID 4088 wrote to memory of 2616 4088 ED72.exe 91 PID 4088 wrote to memory of 2616 4088 ED72.exe 91 PID 4088 wrote to memory of 2616 4088 ED72.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe"C:\Users\Admin\AppData\Local\Temp\888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1916
-
C:\Users\Admin\AppData\Local\Temp\ED72.exeC:\Users\Admin\AppData\Local\Temp\ED72.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 7002⤵
- Program crash
PID:460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4088 -ip 40881⤵PID:2812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD57f4ef4c6b2189d39edf1b8913487e7e8
SHA1c0c0b4a1374d3725b52f1a1eb5a124dd7376203d
SHA25633016858dda6e636c7d3055af1a9249951fe38166435592c44d939578c4f6a3a
SHA51285009beb355246c534e2523516c0e90ef6cc9f6994901e9cb8ed9ec785bceec565e16e52033ca4e7a9e230b72f48347f51c7eaaf3d5bd9b094b6370e6c944ed3
-
Filesize
424KB
MD57f4ef4c6b2189d39edf1b8913487e7e8
SHA1c0c0b4a1374d3725b52f1a1eb5a124dd7376203d
SHA25633016858dda6e636c7d3055af1a9249951fe38166435592c44d939578c4f6a3a
SHA51285009beb355246c534e2523516c0e90ef6cc9f6994901e9cb8ed9ec785bceec565e16e52033ca4e7a9e230b72f48347f51c7eaaf3d5bd9b094b6370e6c944ed3