Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
solaris.exe
Resource
win10v2004-20231215-en
General
-
Target
solaris.exe
-
Size
2.4MB
-
MD5
ff652d08cf029b5c2ad320ecfd0bab76
-
SHA1
2c445cd6682cb2a3138fcf54433b61d31671547c
-
SHA256
0e31baeb3b4d0108735c3d0ad0cf1c7a0f7f1c40e8b36fd003312e60d4fc116f
-
SHA512
5bd29a3779669c2a55795d900180909d8cb0260e03d51eb98edf673ffdedc886fa79363b7c09b4979e1e8b11d0f51c2d7b141849c8e67f8f7099caae21db084d
-
SSDEEP
49152:nLRyUcCmKGyogT/ssZ5H2fUmVPMcR+WNGTDz:nLRxcCjsmPZluj+6Gvz
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Blog.pifRegAsm.exedescription pid process target process PID 4412 created 3448 4412 Blog.pif Explorer.EXE PID 4412 created 3448 4412 Blog.pif Explorer.EXE PID 756 created 2948 756 RegAsm.exe sihost.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Blog.pifRegAsm.exepid process 4412 Blog.pif 756 RegAsm.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2208 tasklist.exe 2528 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Blog.pifRegAsm.exedialer.exepid process 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif 756 RegAsm.exe 756 RegAsm.exe 1604 dialer.exe 1604 dialer.exe 1604 dialer.exe 1604 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2208 tasklist.exe Token: SeDebugPrivilege 2528 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Blog.pifpid process 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Blog.pifpid process 4412 Blog.pif 4412 Blog.pif 4412 Blog.pif -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
solaris.execmd.exeBlog.pifRegAsm.exedescription pid process target process PID 2044 wrote to memory of 2160 2044 solaris.exe cmd.exe PID 2044 wrote to memory of 2160 2044 solaris.exe cmd.exe PID 2044 wrote to memory of 2160 2044 solaris.exe cmd.exe PID 2160 wrote to memory of 2208 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 2208 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 2208 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 3956 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 3956 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 3956 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 2528 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 2528 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 2528 2160 cmd.exe tasklist.exe PID 2160 wrote to memory of 4524 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 4524 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 4524 2160 cmd.exe findstr.exe PID 2160 wrote to memory of 832 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 832 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 832 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 528 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 528 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 528 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 4904 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 4904 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 4904 2160 cmd.exe cmd.exe PID 2160 wrote to memory of 4412 2160 cmd.exe Blog.pif PID 2160 wrote to memory of 4412 2160 cmd.exe Blog.pif PID 2160 wrote to memory of 4412 2160 cmd.exe Blog.pif PID 2160 wrote to memory of 4932 2160 cmd.exe PING.EXE PID 2160 wrote to memory of 4932 2160 cmd.exe PING.EXE PID 2160 wrote to memory of 4932 2160 cmd.exe PING.EXE PID 4412 wrote to memory of 4520 4412 Blog.pif cmd.exe PID 4412 wrote to memory of 4520 4412 Blog.pif cmd.exe PID 4412 wrote to memory of 4520 4412 Blog.pif cmd.exe PID 4412 wrote to memory of 756 4412 Blog.pif RegAsm.exe PID 4412 wrote to memory of 756 4412 Blog.pif RegAsm.exe PID 4412 wrote to memory of 756 4412 Blog.pif RegAsm.exe PID 4412 wrote to memory of 756 4412 Blog.pif RegAsm.exe PID 4412 wrote to memory of 756 4412 Blog.pif RegAsm.exe PID 756 wrote to memory of 1604 756 RegAsm.exe dialer.exe PID 756 wrote to memory of 1604 756 RegAsm.exe dialer.exe PID 756 wrote to memory of 1604 756 RegAsm.exe dialer.exe PID 756 wrote to memory of 1604 756 RegAsm.exe dialer.exe PID 756 wrote to memory of 1604 756 RegAsm.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\solaris.exe"C:\Users\Admin\AppData\Local\Temp\solaris.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /k move Classics Classics.bat & Classics.bat & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:3956
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:4524
-
C:\Windows\SysWOW64\cmd.execmd /c md 20194⤵PID:832
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Directly + Fingers + Tx + Pdf + Pattern + Avenue 2019\Blog.pif4⤵PID:528
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mentioned + Basketball + Charitable 2019\T4⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\23328\2019\Blog.pif2019\Blog.pif 2019\T4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
PID:4932 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\ByteHarbor Technologies\DataHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url" & exit2⤵
- Drops startup file
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\23328\2019\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\23328\2019\RegAsm.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2948
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
1.1MB
MD5792fd93be2e9d6400bfefce7cbcc3826
SHA1a2387896de18a59a82921ea16124e68370ce5c5f
SHA25627c8c0e9213039ccf70984927172acd31dc929f56967d626e7433675d6f56623
SHA51222bc9c81cdeede2e3a1043a42b81e0a8dc1013886c93d74550d35a90b80c3461afc6bc3741cc0e549937351a70e3f495b8434b56fc41bebbb6c8c5e521a10923
-
Filesize
4KB
MD52069eaca0c1d1c2d240b2d3b77a91455
SHA122e8a0b6f132332a46d30e628d0134195612d114
SHA256c3bc63097615903a384066ac7a7618e02de868abc9c8a8feea2403b9a8ae4322
SHA512ef453c6ab8315776ab91ec9f904551d0ee878933f5e9c6565876e7566b07d44324c2f214533ed7471c3982a29a73a6a801732c3796c2874315ef52e219433da9
-
Filesize
476KB
MD5844c2b03ed2b11b358484ea65f798e76
SHA1238d7f9b6545db39b2e542e3561a4bde06085c3b
SHA256e625d9213c2b7cd35eaa4994b0dd304a14cd1ffb4a4839574d0a250a388ee30c
SHA512d4ec17b6133c08d9bd966049513b399cdd0f7f1c2415ee4e4b11ddca48689a63958457602ec1cc2b6dabc5c59c2896fa9d0534c5ead9ff0d0513f69675a4f343
-
Filesize
265KB
MD5d3e8861483ea654d69e2fdc92726e48a
SHA11e4b3dddb7b130961ac75831117578997377f2ab
SHA256fdba963c0b76fc75e1da7549d97e21eed56f24b1955c2f760dceca1b39216291
SHA512b2ada80b8889e5af6ce0dab98ea1846997195e26c7f5fc78c2310acc89dd5c24591ab645ad5488d60f03a7de9f012e273e97081b74ff36cac9ad58ccccb89250
-
Filesize
11KB
MD5f88b098d7e06201186101c6b920388c7
SHA1fa7af2010280629ac978b0de72c8f42d109ee3f0
SHA256dbc682be139069ba97823402d917244174bd35c0b69841b99d1cd3a5865529dc
SHA512e4745194a21f4fe59acbfc6764971cee83a16e8451ff10a32d48ce20d6f0bfa84307dc819c8645a1191d48cebde6519a9ba4e0cbaf561d23f5b39bb55cfb7048
-
Filesize
256KB
MD540573224ccacb0aa66b031a46a38b3a6
SHA1b4801575615f1576941896edaa81b84b7b8124a9
SHA256f6bb00459a40530999a6b031550fa3981f2c8b7223193f523cb97b54a8d23339
SHA512fe60b13e9070e364007241acf94546ce02d383c33e124cb0b9c2a14faa930956a92c0cac1117848cd6e8b0976eaf3cb3da88c6cd0a1b1262964ff64aec884a9f
-
Filesize
230KB
MD588258658a598bf06dff02ad9d69c871a
SHA1a89aa8f0cc2537074e3963f2cfbb9f866f22584d
SHA256e452f72364d521f921aa36df8947cc66620eae4376a3520d90b1a0f81e27e547
SHA51272c0632d6611b102713ac2df74d4b1dd44ef9ea9fb2b88e073d533c13080ccd7af1c0d994d59e9e975e0a999102d6e2c06e0bad39e08fcada9c5811f4d1800f2
-
Filesize
429KB
MD573e923577c3b5e9a3f492198198b34c3
SHA12e857abf355fafc6f9f13ed676fe9482084a4405
SHA2563d093c7f529bf4d0314f01b866310658f96fd3c2f64d625d23dbad1f709f8e3d
SHA51216e9c714dab59e09a495ff6bf6a8d5edb8611558caf328b7e53b6ced2d075de6c8b1e64f0a3b192aae8dd4ae464faf2ec258061ce3fc056b09b26b92eda46e41
-
Filesize
200KB
MD56c160f6ee90ec3a3b97a8c69e3e0e1b8
SHA1ecf68690478a785df3b08cfc6b9aaf8d36c345df
SHA2569434f8010736e971745756e04d2a8b4e5e746a7a0044c2b5b35eadba2e23afb7
SHA51235c03a54b28cc174f6b2ff6954ec47e7fa1eb6b7a8c9c787a36f642a7c60decbca4ef1bd47fcfd333160a6097198567f9ec65bae39f160e24f0967fe7bf822fb
-
Filesize
127KB
MD5c3776fd0b0dde6ae8e53c264106e2780
SHA12eb2350514aa2a58cdf8bb73306dc52384863dd3
SHA256f5cc892b062fdc65a73397fc8f7bc6998ee37b9e206fbcc02e157e7fbce6f9d6
SHA5123c37aa86aa590ab0e20130ab81fbfb67f743ff2d54e71915efb0a0ffc4b4f3a67165a066c5b5e229568274295252233ed41161d751403a9d06d1b6ce2a4444c2
-
Filesize
107KB
MD54caced05a0d5725cc85c1dbe44666d5f
SHA1e5986f3c3f336adf4577ed490a791da158785657
SHA256d07219c1214d1347a2d5b01c4abffe0ea7c67fc12f534788022da5240a993739
SHA512c22ab9bf4b1eb9b2f8bf20bb0628d4ae46a8861d4d6f1e64cce98d7a65c41fa47f3ef297dc3596247927e9db4a4fd40b8db7ab21145663311a96ef79fd5f8410