Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2023 05:17

General

  • Target

    tmp.exe

  • Size

    456KB

  • MD5

    5c805d4466345b26b820ff887eab561a

  • SHA1

    478d40e07351d59b7854c9b4140b3592ff19c841

  • SHA256

    112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2

  • SHA512

    d3656925bb6c1776f6b8ca5592d527e4f77d5ade621c715bed5042ac4a2e1a9344febb73eb927b7fb1ba4511488da1062e01c470326bf28e0a4d671b830f3502

  • SSDEEP

    12288:ItjtEVJvfW1kGh0ZbIfl6dtcj4BtRt6D2cehTAI:I7EV4io5jet5fhMI

Malware Config

Extracted

Family

systembc

C2

discordcdn8839248.com:4327

chinabar821994.com:4327

Signatures

  • Detect rhadamanthys stealer shellcode 5 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 948
          3⤵
          • Program crash
          PID:2368
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 3556
      1⤵
        PID:4172
      • C:\Users\Admin\AppData\Local\Microsoft\YFd.exe
        "C:\Users\Admin\AppData\Local\Microsoft\YFd.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:1572
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 308
            2⤵
            • Program crash
            PID:3704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4772 -ip 4772
          1⤵
            PID:2792

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\YFd.exe

            Filesize

            961KB

            MD5

            648e1bf1672068d725a9b8434627947e

            SHA1

            c21e0bd251e33d4464fdd376ae46fe4f01c533cf

            SHA256

            4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

            SHA512

            c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

          • C:\Users\Admin\AppData\Local\Microsoft\YFd.exe

            Filesize

            961KB

            MD5

            648e1bf1672068d725a9b8434627947e

            SHA1

            c21e0bd251e33d4464fdd376ae46fe4f01c533cf

            SHA256

            4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

            SHA512

            c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

          • memory/1572-189-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

          • memory/1572-182-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

          • memory/1572-188-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

          • memory/3556-148-0x00000000038F0000-0x0000000003CF0000-memory.dmp

            Filesize

            4.0MB

          • memory/3556-150-0x0000000004670000-0x00000000046A6000-memory.dmp

            Filesize

            216KB

          • memory/3556-145-0x00000000038F0000-0x0000000003CF0000-memory.dmp

            Filesize

            4.0MB

          • memory/3556-146-0x00000000038F0000-0x0000000003CF0000-memory.dmp

            Filesize

            4.0MB

          • memory/3556-147-0x00000000038F0000-0x0000000003CF0000-memory.dmp

            Filesize

            4.0MB

          • memory/3556-133-0x0000000003530000-0x0000000003579000-memory.dmp

            Filesize

            292KB

          • memory/3556-138-0x0000000003580000-0x00000000035F0000-memory.dmp

            Filesize

            448KB

          • memory/3556-144-0x00000000001D0000-0x00000000001D7000-memory.dmp

            Filesize

            28KB

          • memory/3556-157-0x00000000038F0000-0x0000000003CF0000-memory.dmp

            Filesize

            4.0MB

          • memory/3556-156-0x0000000004670000-0x00000000046A6000-memory.dmp

            Filesize

            216KB

          • memory/3556-158-0x0000000000400000-0x00000000018F0000-memory.dmp

            Filesize

            20.9MB

          • memory/3556-137-0x0000000003530000-0x0000000003579000-memory.dmp

            Filesize

            292KB

          • memory/3556-136-0x0000000000400000-0x00000000018F0000-memory.dmp

            Filesize

            20.9MB

          • memory/3556-135-0x0000000000400000-0x00000000018F0000-memory.dmp

            Filesize

            20.9MB

          • memory/3556-134-0x0000000003580000-0x00000000035F0000-memory.dmp

            Filesize

            448KB

          • memory/3900-163-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-176-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp

            Filesize

            2.0MB

          • memory/3900-165-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-167-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-169-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-170-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-171-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-172-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp

            Filesize

            2.0MB

          • memory/3900-173-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-174-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-175-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-164-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-162-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-161-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

            Filesize

            1.2MB

          • memory/3900-192-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp

            Filesize

            2.0MB

          • memory/3900-191-0x0000016C61020000-0x0000016C61025000-memory.dmp

            Filesize

            20KB

          • memory/3900-160-0x0000016C61020000-0x0000016C61027000-memory.dmp

            Filesize

            28KB

          • memory/3900-159-0x0000016C60D80000-0x0000016C60D83000-memory.dmp

            Filesize

            12KB

          • memory/3900-149-0x0000016C60D80000-0x0000016C60D83000-memory.dmp

            Filesize

            12KB

          • memory/4772-190-0x00000000008F0000-0x0000000000A33000-memory.dmp

            Filesize

            1.3MB

          • memory/4772-181-0x00000000008F0000-0x0000000000A33000-memory.dmp

            Filesize

            1.3MB

          • memory/4772-180-0x00000000008F0000-0x0000000000A33000-memory.dmp

            Filesize

            1.3MB