Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2024, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe
Resource
win10v2004-20231215-en
General
-
Target
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe
-
Size
1.1MB
-
MD5
d6fc4895775aafffbd52cb8e9e731824
-
SHA1
9762ab2f2e6bc7a3d55bc5321667ca06cf16ce00
-
SHA256
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
-
SHA512
6557a7d7178b84a1cde3c92747ad2eed5da60270b06bb7df8f6d6cf738a1028a575d29804f05a01f778358e7a6aa6a1fea20295d5bdb45e05b01e18b1c983606
-
SSDEEP
24576:rus8z4E8k29sef3ykfjptYRawBIU3gyCta0SBuNoObZJR8wrGKB/urQD:asOqfykLp7wBIhyAOBuzlvLurY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 848 created 2416 848 Structure.pif 51 PID 1036 created 2416 1036 Structure.pif 51 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe -
Deletes itself 1 IoCs
pid Process 4944 Structure.pif -
Executes dropped EXE 3 IoCs
pid Process 4944 Structure.pif 848 Structure.pif 1036 Structure.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4944 set thread context of 848 4944 Structure.pif 109 PID 4944 set thread context of 1036 4944 Structure.pif 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4216 848 WerFault.exe 109 764 848 WerFault.exe 109 3364 1036 WerFault.exe 116 5088 1036 WerFault.exe 116 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1132 schtasks.exe 4448 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4260 tasklist.exe 2380 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 376 PING.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 848 Structure.pif 848 Structure.pif 3424 dialer.exe 3424 dialer.exe 3424 dialer.exe 3424 dialer.exe 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif 1036 Structure.pif 1036 Structure.pif 2856 dialer.exe 2856 dialer.exe 2856 dialer.exe 2856 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4260 tasklist.exe Token: SeDebugPrivilege 2380 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4944 Structure.pif 4944 Structure.pif 4944 Structure.pif -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2120 wrote to memory of 4516 2120 a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe 85 PID 2120 wrote to memory of 4516 2120 a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe 85 PID 2120 wrote to memory of 4516 2120 a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe 85 PID 4516 wrote to memory of 4260 4516 cmd.exe 87 PID 4516 wrote to memory of 4260 4516 cmd.exe 87 PID 4516 wrote to memory of 4260 4516 cmd.exe 87 PID 4516 wrote to memory of 632 4516 cmd.exe 88 PID 4516 wrote to memory of 632 4516 cmd.exe 88 PID 4516 wrote to memory of 632 4516 cmd.exe 88 PID 4516 wrote to memory of 2380 4516 cmd.exe 90 PID 4516 wrote to memory of 2380 4516 cmd.exe 90 PID 4516 wrote to memory of 2380 4516 cmd.exe 90 PID 4516 wrote to memory of 1228 4516 cmd.exe 91 PID 4516 wrote to memory of 1228 4516 cmd.exe 91 PID 4516 wrote to memory of 1228 4516 cmd.exe 91 PID 4516 wrote to memory of 216 4516 cmd.exe 92 PID 4516 wrote to memory of 216 4516 cmd.exe 92 PID 4516 wrote to memory of 216 4516 cmd.exe 92 PID 4516 wrote to memory of 1596 4516 cmd.exe 93 PID 4516 wrote to memory of 1596 4516 cmd.exe 93 PID 4516 wrote to memory of 1596 4516 cmd.exe 93 PID 4516 wrote to memory of 2456 4516 cmd.exe 94 PID 4516 wrote to memory of 2456 4516 cmd.exe 94 PID 4516 wrote to memory of 2456 4516 cmd.exe 94 PID 4516 wrote to memory of 4944 4516 cmd.exe 95 PID 4516 wrote to memory of 4944 4516 cmd.exe 95 PID 4516 wrote to memory of 4944 4516 cmd.exe 95 PID 4516 wrote to memory of 376 4516 cmd.exe 96 PID 4516 wrote to memory of 376 4516 cmd.exe 96 PID 4516 wrote to memory of 376 4516 cmd.exe 96 PID 4944 wrote to memory of 1132 4944 Structure.pif 97 PID 4944 wrote to memory of 1132 4944 Structure.pif 97 PID 4944 wrote to memory of 1132 4944 Structure.pif 97 PID 4944 wrote to memory of 2884 4944 Structure.pif 99 PID 4944 wrote to memory of 2884 4944 Structure.pif 99 PID 4944 wrote to memory of 2884 4944 Structure.pif 99 PID 2884 wrote to memory of 4448 2884 cmd.exe 101 PID 2884 wrote to memory of 4448 2884 cmd.exe 101 PID 2884 wrote to memory of 4448 2884 cmd.exe 101 PID 4944 wrote to memory of 848 4944 Structure.pif 109 PID 4944 wrote to memory of 848 4944 Structure.pif 109 PID 4944 wrote to memory of 848 4944 Structure.pif 109 PID 4944 wrote to memory of 848 4944 Structure.pif 109 PID 4944 wrote to memory of 848 4944 Structure.pif 109 PID 848 wrote to memory of 3424 848 Structure.pif 110 PID 848 wrote to memory of 3424 848 Structure.pif 110 PID 848 wrote to memory of 3424 848 Structure.pif 110 PID 848 wrote to memory of 3424 848 Structure.pif 110 PID 848 wrote to memory of 3424 848 Structure.pif 110 PID 4944 wrote to memory of 1036 4944 Structure.pif 116 PID 4944 wrote to memory of 1036 4944 Structure.pif 116 PID 4944 wrote to memory of 1036 4944 Structure.pif 116 PID 4944 wrote to memory of 1036 4944 Structure.pif 116 PID 4944 wrote to memory of 1036 4944 Structure.pif 116 PID 1036 wrote to memory of 2856 1036 Structure.pif 118 PID 1036 wrote to memory of 2856 1036 Structure.pif 118 PID 1036 wrote to memory of 2856 1036 Structure.pif 118 PID 1036 wrote to memory of 2856 1036 Structure.pif 118 PID 1036 wrote to memory of 2856 1036 Structure.pif 118
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:632
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:1228
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 294383⤵PID:216
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 29438\Structure.pif3⤵PID:1596
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Bowling + Micro + Britney 29438\J3⤵PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif29438\Structure.pif 29438\J3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1132
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST4⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:4448
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 4405⤵
- Program crash
PID:4216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 4325⤵
- Program crash
PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 4365⤵
- Program crash
PID:3364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 4325⤵
- Program crash
PID:5088
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 15 localhost3⤵
- Runs ping.exe
PID:376
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 848 -ip 8481⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 848 -ip 8481⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 10361⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1036 -ip 10361⤵PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59e026102dd03937a6464c85c69a2383f
SHA1520325a083a63ee251284fa447acb52f8004ce53
SHA2569df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759
SHA51226b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77
-
Filesize
352KB
MD552fdcc6257df74b280ab474e2981b342
SHA1b0a1dad3915f04391c67faa762cab32df21b655c
SHA256a7e7eaf50bcf21cf726aac26d318a74e6b4ef7366ed0cad0e499c3c2eb112c43
SHA512c2ddaeeac1cb3c82d270a2a936bb247ca0fbe01b25b0e429be11adceabbaac0e571375fe53197dfaa110c17c001980266fb3bc4c0ecaa2408116430588e35639
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
236KB
MD5cadf612984ebd5ecd45906b805ffe46c
SHA11b53b6b2a843e6d05678356664be82b0317a3c1a
SHA256696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909
SHA512d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e
-
Filesize
109KB
MD5029325f8240d37784f57441b3176163c
SHA1bd61a35e87d9e579e3f14f1912437ac91568e969
SHA25632acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb
SHA512333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b
-
Filesize
438KB
MD551269b2f02dba8f71d9fa5a2a7119642
SHA16502d3e85e61fd6cb03f68525bd92682e0de6198
SHA256526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f
SHA5122e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53
-
Filesize
337KB
MD5afdc4a4520d5dc1c3dd70fda304c9aa9
SHA1914ee920b6e037a42e3b522d89909ae1d899197a
SHA256c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7
SHA512efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d
-
Filesize
11KB
MD560a0a998ac721ce59926c350c1cfa346
SHA19b69aef9a6d12e0e7f4efab8f7a65329c0d958f2
SHA2560129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38
SHA51286e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30
-
Filesize
215KB
MD543819522acece762a7389a5683136c4d
SHA1b3ff7cf638094690347653f613d5cac9913fbd68
SHA256eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b
SHA51203dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4
-
Filesize
467KB
MD516c7e782af3a480cf58b2f67f47a637c
SHA1f23178c12ada8993410e8f1a59a1e271879d5977
SHA256ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4
SHA5126d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b
-
Filesize
217KB
MD5e0ee57b3d753dba0d3a58379968e19c9
SHA17cb2bd6f3bab50a9836a620610d8e47459445ab0
SHA2564175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5
SHA5123cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059
-
Filesize
147KB
MD590114130f88ac2fb224c689998e124ce
SHA1df94c44b1ceae98749237fae6ac07092fc4c6099
SHA25687b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff
SHA51238fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44