Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
submitted
09/02/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
d6fc4895775aafffbd52cb8e9e731824.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d6fc4895775aafffbd52cb8e9e731824.exe
Resource
win10v2004-20231215-en
General
-
Target
d6fc4895775aafffbd52cb8e9e731824.exe
-
Size
1.1MB
-
MD5
d6fc4895775aafffbd52cb8e9e731824
-
SHA1
9762ab2f2e6bc7a3d55bc5321667ca06cf16ce00
-
SHA256
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
-
SHA512
6557a7d7178b84a1cde3c92747ad2eed5da60270b06bb7df8f6d6cf738a1028a575d29804f05a01f778358e7a6aa6a1fea20295d5bdb45e05b01e18b1c983606
-
SSDEEP
24576:rus8z4E8k29sef3ykfjptYRawBIU3gyCta0SBuNoObZJR8wrGKB/urQD:asOqfykLp7wBIhyAOBuzlvLurY
Malware Config
Extracted
rhadamanthys
https://91.92.255.105:8215/b45c71e9ac60e42309ff71/foj0i1cc.fi8v9
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4548 created 2452 4548 Structure.pif 23 PID 2320 created 2452 2320 Structure.pif 23 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation d6fc4895775aafffbd52cb8e9e731824.exe -
Deletes itself 1 IoCs
pid Process 972 Structure.pif -
Executes dropped EXE 3 IoCs
pid Process 972 Structure.pif 4548 Structure.pif 2320 Structure.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4800 tasklist.exe 4484 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 972 set thread context of 4548 972 Structure.pif 109 PID 972 set thread context of 2320 972 Structure.pif 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4144 4548 WerFault.exe 109 4248 4548 WerFault.exe 109 456 2320 WerFault.exe 116 3492 2320 WerFault.exe 116 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6fc4895775aafffbd52cb8e9e731824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Structure.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1640 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1640 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3388 schtasks.exe 2320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 4548 Structure.pif 4548 Structure.pif 2716 dialer.exe 2716 dialer.exe 2716 dialer.exe 2716 dialer.exe 972 Structure.pif 972 Structure.pif 972 Structure.pif 972 Structure.pif 2320 Structure.pif 2320 Structure.pif 4980 dialer.exe 4980 dialer.exe 4980 dialer.exe 4980 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4800 tasklist.exe Token: SeDebugPrivilege 4484 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 972 Structure.pif 972 Structure.pif 972 Structure.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 972 Structure.pif 972 Structure.pif 972 Structure.pif -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 64 wrote to memory of 3780 64 d6fc4895775aafffbd52cb8e9e731824.exe 85 PID 64 wrote to memory of 3780 64 d6fc4895775aafffbd52cb8e9e731824.exe 85 PID 64 wrote to memory of 3780 64 d6fc4895775aafffbd52cb8e9e731824.exe 85 PID 3780 wrote to memory of 4800 3780 cmd.exe 87 PID 3780 wrote to memory of 4800 3780 cmd.exe 87 PID 3780 wrote to memory of 4800 3780 cmd.exe 87 PID 3780 wrote to memory of 2484 3780 cmd.exe 88 PID 3780 wrote to memory of 2484 3780 cmd.exe 88 PID 3780 wrote to memory of 2484 3780 cmd.exe 88 PID 3780 wrote to memory of 4484 3780 cmd.exe 91 PID 3780 wrote to memory of 4484 3780 cmd.exe 91 PID 3780 wrote to memory of 4484 3780 cmd.exe 91 PID 3780 wrote to memory of 4888 3780 cmd.exe 90 PID 3780 wrote to memory of 4888 3780 cmd.exe 90 PID 3780 wrote to memory of 4888 3780 cmd.exe 90 PID 3780 wrote to memory of 1192 3780 cmd.exe 92 PID 3780 wrote to memory of 1192 3780 cmd.exe 92 PID 3780 wrote to memory of 1192 3780 cmd.exe 92 PID 3780 wrote to memory of 2424 3780 cmd.exe 93 PID 3780 wrote to memory of 2424 3780 cmd.exe 93 PID 3780 wrote to memory of 2424 3780 cmd.exe 93 PID 3780 wrote to memory of 3988 3780 cmd.exe 94 PID 3780 wrote to memory of 3988 3780 cmd.exe 94 PID 3780 wrote to memory of 3988 3780 cmd.exe 94 PID 3780 wrote to memory of 972 3780 cmd.exe 95 PID 3780 wrote to memory of 972 3780 cmd.exe 95 PID 3780 wrote to memory of 972 3780 cmd.exe 95 PID 3780 wrote to memory of 1640 3780 cmd.exe 96 PID 3780 wrote to memory of 1640 3780 cmd.exe 96 PID 3780 wrote to memory of 1640 3780 cmd.exe 96 PID 972 wrote to memory of 3388 972 Structure.pif 97 PID 972 wrote to memory of 3388 972 Structure.pif 97 PID 972 wrote to memory of 3388 972 Structure.pif 97 PID 972 wrote to memory of 4832 972 Structure.pif 98 PID 972 wrote to memory of 4832 972 Structure.pif 98 PID 972 wrote to memory of 4832 972 Structure.pif 98 PID 4832 wrote to memory of 2320 4832 cmd.exe 101 PID 4832 wrote to memory of 2320 4832 cmd.exe 101 PID 4832 wrote to memory of 2320 4832 cmd.exe 101 PID 972 wrote to memory of 4548 972 Structure.pif 109 PID 972 wrote to memory of 4548 972 Structure.pif 109 PID 972 wrote to memory of 4548 972 Structure.pif 109 PID 972 wrote to memory of 4548 972 Structure.pif 109 PID 972 wrote to memory of 4548 972 Structure.pif 109 PID 4548 wrote to memory of 2716 4548 Structure.pif 110 PID 4548 wrote to memory of 2716 4548 Structure.pif 110 PID 4548 wrote to memory of 2716 4548 Structure.pif 110 PID 4548 wrote to memory of 2716 4548 Structure.pif 110 PID 4548 wrote to memory of 2716 4548 Structure.pif 110 PID 972 wrote to memory of 2320 972 Structure.pif 116 PID 972 wrote to memory of 2320 972 Structure.pif 116 PID 972 wrote to memory of 2320 972 Structure.pif 116 PID 972 wrote to memory of 2320 972 Structure.pif 116 PID 972 wrote to memory of 2320 972 Structure.pif 116 PID 2320 wrote to memory of 4980 2320 Structure.pif 117 PID 2320 wrote to memory of 4980 2320 Structure.pif 117 PID 2320 wrote to memory of 4980 2320 Structure.pif 117 PID 2320 wrote to memory of 4980 2320 Structure.pif 117 PID 2320 wrote to memory of 4980 2320 Structure.pif 117
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 259123⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 25912\Structure.pif3⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Bowling + Micro + Britney 25912\J3⤵
- System Location Discovery: System Language Discovery
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif25912\Structure.pif 25912\J3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3388
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 4365⤵
- Program crash
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 4325⤵
- Program crash
PID:4248
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 4365⤵
- Program crash
PID:456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 4325⤵
- Program crash
PID:3492
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 15 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1640
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4548 -ip 45481⤵PID:4668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4548 -ip 45481⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2320 -ip 23201⤵PID:2096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2320 -ip 23201⤵PID:684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59e026102dd03937a6464c85c69a2383f
SHA1520325a083a63ee251284fa447acb52f8004ce53
SHA2569df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759
SHA51226b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
236KB
MD5cadf612984ebd5ecd45906b805ffe46c
SHA11b53b6b2a843e6d05678356664be82b0317a3c1a
SHA256696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909
SHA512d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e
-
Filesize
109KB
MD5029325f8240d37784f57441b3176163c
SHA1bd61a35e87d9e579e3f14f1912437ac91568e969
SHA25632acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb
SHA512333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b
-
Filesize
438KB
MD551269b2f02dba8f71d9fa5a2a7119642
SHA16502d3e85e61fd6cb03f68525bd92682e0de6198
SHA256526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f
SHA5122e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53
-
Filesize
337KB
MD5afdc4a4520d5dc1c3dd70fda304c9aa9
SHA1914ee920b6e037a42e3b522d89909ae1d899197a
SHA256c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7
SHA512efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d
-
Filesize
11KB
MD560a0a998ac721ce59926c350c1cfa346
SHA19b69aef9a6d12e0e7f4efab8f7a65329c0d958f2
SHA2560129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38
SHA51286e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30
-
Filesize
215KB
MD543819522acece762a7389a5683136c4d
SHA1b3ff7cf638094690347653f613d5cac9913fbd68
SHA256eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b
SHA51203dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4
-
Filesize
467KB
MD516c7e782af3a480cf58b2f67f47a637c
SHA1f23178c12ada8993410e8f1a59a1e271879d5977
SHA256ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4
SHA5126d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b
-
Filesize
217KB
MD5e0ee57b3d753dba0d3a58379968e19c9
SHA17cb2bd6f3bab50a9836a620610d8e47459445ab0
SHA2564175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5
SHA5123cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059
-
Filesize
147KB
MD590114130f88ac2fb224c689998e124ce
SHA1df94c44b1ceae98749237fae6ac07092fc4c6099
SHA25687b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff
SHA51238fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44