Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2023 02:56
Static task
static1
Behavioral task
behavioral1
Sample
Project.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Project.exe
Resource
win10v2004-20230703-en
General
-
Target
Project.exe
-
Size
1.5MB
-
MD5
b5f6c8e7070b1ee1fc60579e148daf1b
-
SHA1
e2a7cf6d9f8d52cd0a8b469b58c268226971ce46
-
SHA256
9a192de2a9b75fc4be67d9109678f47c8f26666e8aa9d70310d1d4960b202cf0
-
SHA512
d95c3c9aabf43cae621f9ff69d3b46bfa9cc8eac5da2ba3387fdbfbd954e617a4009d58176a29f04ed38a94ad23f82f36593948ed3a17a62af1ec83b27e11c66
-
SSDEEP
24576:LE9kR+dwrLhSjOBGfE0wsEcBDm4YFnjycqQxjtGOPyIzjR47cNAlO:LEoi5wEBDmvnj/xE0yIJ/NAM
Malware Config
Extracted
redline
Duc Chim To
37.220.87.42:42870
-
auth_value
d9fe4a9a9a6e66623fb33c09b6303d5a
Extracted
rhadamanthys
http://179.43.142.248/update/libssl.dll
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4684-24-0x0000000000D60000-0x0000000000E60000-memory.dmp family_rhadamanthys behavioral2/memory/4684-25-0x0000000000CD0000-0x0000000000CEC000-memory.dmp family_rhadamanthys behavioral2/memory/4684-27-0x0000000000CD0000-0x0000000000CEC000-memory.dmp family_rhadamanthys behavioral2/memory/4684-29-0x00000000027F0000-0x00000000037F0000-memory.dmp family_rhadamanthys behavioral2/memory/4684-30-0x0000000000CD0000-0x0000000000CEC000-memory.dmp family_rhadamanthys -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Project.exedescription pid process target process PID 2892 created 2900 2892 Project.exe taskhostw.exe -
Loads dropped DLL 1 IoCs
Processes:
Project.exepid process 2892 Project.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 4684 fontview.exe 4684 fontview.exe 4684 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Project.exedescription pid process target process PID 2892 set thread context of 4524 2892 Project.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4352 2892 WerFault.exe Project.exe 1480 2892 WerFault.exe Project.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
Project.exepid process 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe 2892 Project.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 4684 fontview.exe Token: SeCreatePagefilePrivilege 4684 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Project.exedescription pid process target process PID 2892 wrote to memory of 4524 2892 Project.exe ngentask.exe PID 2892 wrote to memory of 4524 2892 Project.exe ngentask.exe PID 2892 wrote to memory of 4524 2892 Project.exe ngentask.exe PID 2892 wrote to memory of 4524 2892 Project.exe ngentask.exe PID 2892 wrote to memory of 4524 2892 Project.exe ngentask.exe PID 2892 wrote to memory of 4684 2892 Project.exe fontview.exe PID 2892 wrote to memory of 4684 2892 Project.exe fontview.exe PID 2892 wrote to memory of 4684 2892 Project.exe fontview.exe PID 2892 wrote to memory of 4684 2892 Project.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Project.exe"C:\Users\Admin\AppData\Local\Temp\Project.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 4322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 4962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2892 -ip 28921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240642093.dllFilesize
334KB
MD560884dcd2970580729433008409b3e91
SHA1cd5db5a80a0ddd8c5643a5557ea2535767358748
SHA25641d9a97a75187b5505a81efb9142722775a13a0b2c101d4372a2683195e210fa
SHA5122c269f4ae1a7087fe3d9e02775423dbd01412b266f45485642f9d69a8b7ba7eb3c20595ce16f019c3cbe442d5e1bce4dce6cdc1c945127102b2088ed52664619
-
memory/2892-1-0x0000000002FB0000-0x0000000003103000-memory.dmpFilesize
1.3MB
-
memory/2892-3-0x000000000E3D0000-0x000000000E50B000-memory.dmpFilesize
1.2MB
-
memory/2892-2-0x000000000E3D0000-0x000000000E50B000-memory.dmpFilesize
1.2MB
-
memory/2892-33-0x0000000002FB0000-0x0000000003103000-memory.dmpFilesize
1.3MB
-
memory/2892-20-0x000000000E3D0000-0x000000000E50B000-memory.dmpFilesize
1.2MB
-
memory/2892-19-0x0000000002FB0000-0x0000000003103000-memory.dmpFilesize
1.3MB
-
memory/2892-0-0x0000000002FB0000-0x0000000003103000-memory.dmpFilesize
1.3MB
-
memory/4524-17-0x00000000057B0000-0x00000000057C0000-memory.dmpFilesize
64KB
-
memory/4524-22-0x00000000057B0000-0x00000000057C0000-memory.dmpFilesize
64KB
-
memory/4524-15-0x0000000005750000-0x0000000005762000-memory.dmpFilesize
72KB
-
memory/4524-16-0x0000000005880000-0x000000000598A000-memory.dmpFilesize
1.0MB
-
memory/4524-12-0x0000000005D00000-0x0000000006318000-memory.dmpFilesize
6.1MB
-
memory/4524-18-0x00000000057C0000-0x00000000057FC000-memory.dmpFilesize
240KB
-
memory/4524-7-0x0000000073B10000-0x00000000742C0000-memory.dmpFilesize
7.7MB
-
memory/4524-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4524-21-0x0000000073B10000-0x00000000742C0000-memory.dmpFilesize
7.7MB
-
memory/4524-4-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4684-24-0x0000000000D60000-0x0000000000E60000-memory.dmpFilesize
1024KB
-
memory/4684-26-0x00000000009D0000-0x00000000009D2000-memory.dmpFilesize
8KB
-
memory/4684-25-0x0000000000CD0000-0x0000000000CEC000-memory.dmpFilesize
112KB
-
memory/4684-27-0x0000000000CD0000-0x0000000000CEC000-memory.dmpFilesize
112KB
-
memory/4684-29-0x00000000027F0000-0x00000000037F0000-memory.dmpFilesize
16.0MB
-
memory/4684-30-0x0000000000CD0000-0x0000000000CEC000-memory.dmpFilesize
112KB
-
memory/4684-31-0x0000000000790000-0x00000000007C3000-memory.dmpFilesize
204KB
-
memory/4684-13-0x0000000000790000-0x00000000007C3000-memory.dmpFilesize
204KB