Overview

overview

10

Static

static

3

wininstal.exe

windows7-x64

7

wininstal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2023 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wininstal.exe

  • Size

    607KB

  • MD5

    dd81fe6d37b5200c80eccb98bc8b91d9

  • SHA1

    55371613874ea2109b6fc42f929e15f8544cb532

  • SHA256

    7d5455411512b3e4fa266722bc5bfd18d73b84edf984543f12b40bfc274a70c7

  • SHA512

    fc2525ec43c03ab7f2c9dfed92f18ec58ef79e962bc2089da90bc565d5d8d8564d9bf4d545c26fdb271c5b88d5ba47c73225f37f49ca1ffff17d427361aefb4a

  • SSDEEP

    12288:bisrBllxd6M2YYKZ7UcxrGJnFdz87yrqE3Wopb7z1fbJBRi1rMM17o4:bdNllr6MWKZ7Uc0JnLpqED7z1frw1MMB

Score
10/10
rhadamanthyscollectionpersistencestealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 6 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\wininstal.exe
        "C:\Users\Admin\AppData\Local\Temp\wininstal.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1856
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:1072

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
      Filesize

      703KB

      MD5

      f676adcd6e17c185e3a247b5479c1f75

      SHA1

      afc864f3e57a191b9457a198ff40e6db9988505d

      SHA256

      eaa564c2467ce8b62e2e23ce7020badb6450b6ef68d8e1182d32653ec5ee0f65

      SHA512

      9fdbce1cc0e13612cf573d0491e22c63a25fba9102822bfd6b682b6c7a92f8e57b6b417a5194000b9b2948f8a63d9e5263bd9ad260e335130ba150d9a6ba20f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
      Filesize

      703KB

      MD5

      f676adcd6e17c185e3a247b5479c1f75

      SHA1

      afc864f3e57a191b9457a198ff40e6db9988505d

      SHA256

      eaa564c2467ce8b62e2e23ce7020badb6450b6ef68d8e1182d32653ec5ee0f65

      SHA512

      9fdbce1cc0e13612cf573d0491e22c63a25fba9102822bfd6b682b6c7a92f8e57b6b417a5194000b9b2948f8a63d9e5263bd9ad260e335130ba150d9a6ba20f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
      Filesize

      691KB

      MD5

      86dd34758b6ce7454cc907357c47d697

      SHA1

      9abc68a284b8f8969649c77f05020c0cabc9f517

      SHA256

      e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

      SHA512

      3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
      Filesize

      691KB

      MD5

      86dd34758b6ce7454cc907357c47d697

      SHA1

      9abc68a284b8f8969649c77f05020c0cabc9f517

      SHA256

      e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

      SHA512

      3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
      Filesize

      691KB

      MD5

      86dd34758b6ce7454cc907357c47d697

      SHA1

      9abc68a284b8f8969649c77f05020c0cabc9f517

      SHA256

      e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

      SHA512

      3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

      Download Submit
    • memory/1072-55-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-36-0x0000020008AB0000-0x0000020008AB3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1072-70-0x00007FFB3E410000-0x00007FFB3E605000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/1072-68-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-67-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-66-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-65-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-64-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-63-0x00007FFB3E410000-0x00007FFB3E605000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/1072-62-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-61-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-60-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-58-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-56-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-54-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-53-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-52-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1072-51-0x000002000AB60000-0x000002000AB67000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1072-50-0x0000020008AB0000-0x0000020008AB3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1072-69-0x000002000AB60000-0x000002000AB65000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1856-31-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1856-29-0x0000000002740000-0x0000000002747000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1856-45-0x0000000000400000-0x0000000000473000-memory.dmp
      Filesize

      460KB

      Download
    • memory/1856-33-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1856-38-0x0000000003770000-0x00000000037A6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1856-16-0x0000000000400000-0x0000000000473000-memory.dmp
      Filesize

      460KB

      Download
    • memory/1856-32-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1856-44-0x0000000003770000-0x00000000037A6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1856-46-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1856-47-0x0000000000400000-0x0000000000473000-memory.dmp
      Filesize

      460KB

      Download
    • memory/1856-48-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1856-24-0x0000000000400000-0x0000000000473000-memory.dmp
      Filesize

      460KB

      Download
    • memory/1856-27-0x0000000000400000-0x0000000000473000-memory.dmp
      Filesize

      460KB

      Download
    • memory/1856-30-0x0000000002960000-0x0000000002D60000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/2160-28-0x000001B2F4720000-0x000001B2F4730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2160-34-0x000001B2F5490000-0x000001B2F5598000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2160-37-0x00007FFB1F000000-0x00007FFB1FAC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2160-35-0x000001B2F55A0000-0x000001B2F5696000-memory.dmp
      Filesize

      984KB

      Download
    • memory/2160-26-0x00007FFB1F000000-0x00007FFB1FAC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2160-25-0x000001B2DA1A0000-0x000001B2DA252000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2160-49-0x000001B2F4720000-0x000001B2F4730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3836-20-0x0000000074450000-0x0000000074C00000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3836-9-0x0000000005960000-0x0000000005F04000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3836-8-0x0000000074450000-0x0000000074C00000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3836-10-0x0000000005570000-0x0000000005580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3836-11-0x00000000061E0000-0x0000000006258000-memory.dmp
      Filesize

      480KB

      Download
    • memory/3836-15-0x0000000005570000-0x0000000005580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3836-14-0x0000000006E00000-0x0000000006E4C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3836-13-0x0000000006D90000-0x0000000006DF8000-memory.dmp
      Filesize

      416KB

      Download
    • memory/3836-7-0x0000000000820000-0x00000000008D4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/3836-12-0x0000000074450000-0x0000000074C00000-memory.dmp
      Filesize

      7.7MB

      Download