Analysis
-
max time kernel
50s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-06-2023 11:02
Static task
static1
Behavioral task
behavioral1
Sample
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
Resource
win10v2004-20230220-en
General
-
Target
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
-
Size
446KB
-
MD5
82753bed041d05b32e560a5f6e96e560
-
SHA1
66f82f505e50c9a63328bab4dfb2aaa6fe5dc1e8
-
SHA256
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595
-
SHA512
dbea9ce63a9e3186f92074db7b4e6a855f1b2673e1e4e1efbe0f72a88414234633ab4f7903c1ce25e266130dfa28c34701f6d8407909e50dbb1c8c41b2ff89a9
-
SSDEEP
12288:XXNYUuRiQi9eh4q/T4Yu9aXvWmMQszY+/CJW:XdUVi9ER/3Xvtnscpk
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2000-57-0x0000000001EC0000-0x00000000022C0000-memory.dmp family_rhadamanthys behavioral1/memory/2000-58-0x0000000001EC0000-0x00000000022C0000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exedescription pid process target process PID 2000 created 1272 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe Explorer.EXE -
Deletes itself 1 IoCs
Processes:
certreq.exepid process 1488 certreq.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.execertreq.exepid process 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe 1488 certreq.exe 1488 certreq.exe 1488 certreq.exe 1488 certreq.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exedescription pid process target process PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe PID 2000 wrote to memory of 1488 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe certreq.exe -
outlook_office_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe"C:\Users\Admin\AppData\Local\Temp\b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-71-0x00000000001A0000-0x00000000001A7000-memory.dmpFilesize
28KB
-
memory/1488-79-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-72-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-60-0x00000000000E0000-0x00000000000E3000-memory.dmpFilesize
12KB
-
memory/1488-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-75-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-73-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-70-0x00000000000E0000-0x00000000000E3000-memory.dmpFilesize
12KB
-
memory/1488-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-78-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-76-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/1488-74-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2000-61-0x00000000008C0000-0x00000000008F6000-memory.dmpFilesize
216KB
-
memory/2000-69-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2000-57-0x0000000001EC0000-0x00000000022C0000-memory.dmpFilesize
4.0MB
-
memory/2000-67-0x00000000008C0000-0x00000000008F6000-memory.dmpFilesize
216KB
-
memory/2000-56-0x00000000002B0000-0x00000000002B7000-memory.dmpFilesize
28KB
-
memory/2000-59-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2000-58-0x0000000001EC0000-0x00000000022C0000-memory.dmpFilesize
4.0MB
-
memory/2000-55-0x0000000000220000-0x0000000000291000-memory.dmpFilesize
452KB