Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
submitted
09/02/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
d6fc4895775aafffbd52cb8e9e731824.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d6fc4895775aafffbd52cb8e9e731824.exe
Resource
win10v2004-20231215-en
General
-
Target
d6fc4895775aafffbd52cb8e9e731824.exe
-
Size
1.1MB
-
MD5
d6fc4895775aafffbd52cb8e9e731824
-
SHA1
9762ab2f2e6bc7a3d55bc5321667ca06cf16ce00
-
SHA256
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
-
SHA512
6557a7d7178b84a1cde3c92747ad2eed5da60270b06bb7df8f6d6cf738a1028a575d29804f05a01f778358e7a6aa6a1fea20295d5bdb45e05b01e18b1c983606
-
SSDEEP
24576:rus8z4E8k29sef3ykfjptYRawBIU3gyCta0SBuNoObZJR8wrGKB/urQD:asOqfykLp7wBIhyAOBuzlvLurY
Malware Config
Extracted
rhadamanthys
https://91.92.255.105:8215/b45c71e9ac60e42309ff71/foj0i1cc.fi8v9
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1708 created 1264 1708 Structure.pif 7 PID 2068 created 1264 2068 Structure.pif 7 -
Deletes itself 1 IoCs
pid Process 2648 Structure.pif -
Executes dropped EXE 3 IoCs
pid Process 2648 Structure.pif 1708 Structure.pif 2068 Structure.pif -
Loads dropped DLL 3 IoCs
pid Process 2720 cmd.exe 2648 Structure.pif 2648 Structure.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2836 tasklist.exe 2596 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2648 set thread context of 1708 2648 Structure.pif 48 PID 2648 set thread context of 2068 2648 Structure.pif 50 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6fc4895775aafffbd52cb8e9e731824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2056 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2056 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1200 schtasks.exe 1648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif 1708 Structure.pif 1708 Structure.pif 2808 dialer.exe 2808 dialer.exe 2808 dialer.exe 2808 dialer.exe 2648 Structure.pif 2648 Structure.pif 2068 Structure.pif 2068 Structure.pif 1828 dialer.exe 1828 dialer.exe 1828 dialer.exe 1828 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2836 tasklist.exe Token: SeDebugPrivilege 2596 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2648 Structure.pif 2648 Structure.pif 2648 Structure.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2720 3044 d6fc4895775aafffbd52cb8e9e731824.exe 29 PID 3044 wrote to memory of 2720 3044 d6fc4895775aafffbd52cb8e9e731824.exe 29 PID 3044 wrote to memory of 2720 3044 d6fc4895775aafffbd52cb8e9e731824.exe 29 PID 3044 wrote to memory of 2720 3044 d6fc4895775aafffbd52cb8e9e731824.exe 29 PID 2720 wrote to memory of 2836 2720 cmd.exe 31 PID 2720 wrote to memory of 2836 2720 cmd.exe 31 PID 2720 wrote to memory of 2836 2720 cmd.exe 31 PID 2720 wrote to memory of 2836 2720 cmd.exe 31 PID 2720 wrote to memory of 2840 2720 cmd.exe 32 PID 2720 wrote to memory of 2840 2720 cmd.exe 32 PID 2720 wrote to memory of 2840 2720 cmd.exe 32 PID 2720 wrote to memory of 2840 2720 cmd.exe 32 PID 2720 wrote to memory of 2596 2720 cmd.exe 34 PID 2720 wrote to memory of 2596 2720 cmd.exe 34 PID 2720 wrote to memory of 2596 2720 cmd.exe 34 PID 2720 wrote to memory of 2596 2720 cmd.exe 34 PID 2720 wrote to memory of 2820 2720 cmd.exe 35 PID 2720 wrote to memory of 2820 2720 cmd.exe 35 PID 2720 wrote to memory of 2820 2720 cmd.exe 35 PID 2720 wrote to memory of 2820 2720 cmd.exe 35 PID 2720 wrote to memory of 1776 2720 cmd.exe 36 PID 2720 wrote to memory of 1776 2720 cmd.exe 36 PID 2720 wrote to memory of 1776 2720 cmd.exe 36 PID 2720 wrote to memory of 1776 2720 cmd.exe 36 PID 2720 wrote to memory of 2632 2720 cmd.exe 37 PID 2720 wrote to memory of 2632 2720 cmd.exe 37 PID 2720 wrote to memory of 2632 2720 cmd.exe 37 PID 2720 wrote to memory of 2632 2720 cmd.exe 37 PID 2720 wrote to memory of 2592 2720 cmd.exe 38 PID 2720 wrote to memory of 2592 2720 cmd.exe 38 PID 2720 wrote to memory of 2592 2720 cmd.exe 38 PID 2720 wrote to memory of 2592 2720 cmd.exe 38 PID 2720 wrote to memory of 2648 2720 cmd.exe 39 PID 2720 wrote to memory of 2648 2720 cmd.exe 39 PID 2720 wrote to memory of 2648 2720 cmd.exe 39 PID 2720 wrote to memory of 2648 2720 cmd.exe 39 PID 2720 wrote to memory of 2056 2720 cmd.exe 40 PID 2720 wrote to memory of 2056 2720 cmd.exe 40 PID 2720 wrote to memory of 2056 2720 cmd.exe 40 PID 2720 wrote to memory of 2056 2720 cmd.exe 40 PID 2648 wrote to memory of 1200 2648 Structure.pif 41 PID 2648 wrote to memory of 1200 2648 Structure.pif 41 PID 2648 wrote to memory of 1200 2648 Structure.pif 41 PID 2648 wrote to memory of 1200 2648 Structure.pif 41 PID 2648 wrote to memory of 1208 2648 Structure.pif 42 PID 2648 wrote to memory of 1208 2648 Structure.pif 42 PID 2648 wrote to memory of 1208 2648 Structure.pif 42 PID 2648 wrote to memory of 1208 2648 Structure.pif 42 PID 1208 wrote to memory of 1648 1208 cmd.exe 45 PID 1208 wrote to memory of 1648 1208 cmd.exe 45 PID 1208 wrote to memory of 1648 1208 cmd.exe 45 PID 1208 wrote to memory of 1648 1208 cmd.exe 45 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 2648 wrote to memory of 1708 2648 Structure.pif 48 PID 1708 wrote to memory of 2808 1708 Structure.pif 49 PID 1708 wrote to memory of 2808 1708 Structure.pif 49 PID 1708 wrote to memory of 2808 1708 Structure.pif 49 PID 1708 wrote to memory of 2808 1708 Structure.pif 49 PID 1708 wrote to memory of 2808 1708 Structure.pif 49 PID 1708 wrote to memory of 2808 1708 Structure.pif 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 258834⤵
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 25883\Structure.pif4⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Bowling + Micro + Britney 25883\J4⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif25883\Structure.pif 25883\J4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1200
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 15 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59e026102dd03937a6464c85c69a2383f
SHA1520325a083a63ee251284fa447acb52f8004ce53
SHA2569df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759
SHA51226b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77
-
Filesize
236KB
MD5cadf612984ebd5ecd45906b805ffe46c
SHA11b53b6b2a843e6d05678356664be82b0317a3c1a
SHA256696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909
SHA512d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e
-
Filesize
109KB
MD5029325f8240d37784f57441b3176163c
SHA1bd61a35e87d9e579e3f14f1912437ac91568e969
SHA25632acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb
SHA512333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b
-
Filesize
438KB
MD551269b2f02dba8f71d9fa5a2a7119642
SHA16502d3e85e61fd6cb03f68525bd92682e0de6198
SHA256526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f
SHA5122e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53
-
Filesize
337KB
MD5afdc4a4520d5dc1c3dd70fda304c9aa9
SHA1914ee920b6e037a42e3b522d89909ae1d899197a
SHA256c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7
SHA512efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d
-
Filesize
11KB
MD560a0a998ac721ce59926c350c1cfa346
SHA19b69aef9a6d12e0e7f4efab8f7a65329c0d958f2
SHA2560129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38
SHA51286e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30
-
Filesize
215KB
MD543819522acece762a7389a5683136c4d
SHA1b3ff7cf638094690347653f613d5cac9913fbd68
SHA256eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b
SHA51203dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4
-
Filesize
467KB
MD516c7e782af3a480cf58b2f67f47a637c
SHA1f23178c12ada8993410e8f1a59a1e271879d5977
SHA256ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4
SHA5126d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b
-
Filesize
217KB
MD5e0ee57b3d753dba0d3a58379968e19c9
SHA17cb2bd6f3bab50a9836a620610d8e47459445ab0
SHA2564175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5
SHA5123cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059
-
Filesize
147KB
MD590114130f88ac2fb224c689998e124ce
SHA1df94c44b1ceae98749237fae6ac07092fc4c6099
SHA25687b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff
SHA51238fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a