Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
@Base_1DS1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
@Base_1DS1.exe
Resource
win10v2004-20231215-en
General
-
Target
@Base_1DS1.exe
-
Size
1.7MB
-
MD5
59502d555c1b2e38b3f99a80528993c0
-
SHA1
156d99645955a3f043c5451c6b24c3fea29f50fa
-
SHA256
bf267c00c95c56860c6ebf052f927d0237be3b4499ad58d2a71449ff06a9ce5f
-
SHA512
b31afefa0506483dec837cbfc0edfcfec52be9578d9e7d884877ece26a3bd6612e7e658467b3a93ab84bd4d710c9fd3ee7afbb66e7b63c3ab080cc8137ebfc61
-
SSDEEP
768:RQocZtO77mXVX8tLfcFY9Wshk458P/qqhdaahRLSqh3jHj8Yi6+PxWEKmwgDU9zw:G1n3FCjk4c87FPx97YzvY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2512 created 1320 2512 @Base_1DS1.exe 14 -
Deletes itself 1 IoCs
pid Process 2500 dialer.exe -
Executes dropped EXE 2 IoCs
pid Process 2292 3B9A.exe 2592 3B9A.exe -
Loads dropped DLL 7 IoCs
pid Process 2512 @Base_1DS1.exe 2292 3B9A.exe 2592 3B9A.exe 2592 3B9A.exe 2592 3B9A.exe 2592 3B9A.exe 2592 3B9A.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam_ = "C:\\ProgramData\\3B9A.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2592 set thread context of 1764 2592 3B9A.exe 37 -
Detects Pyinstaller 4 IoCs
resource yara_rule behavioral1/files/0x000a000000012247-1.dat pyinstaller behavioral1/files/0x000a000000012247-4.dat pyinstaller behavioral1/files/0x000a000000012247-19.dat pyinstaller behavioral1/files/0x000a000000012247-18.dat pyinstaller -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2348 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2512 @Base_1DS1.exe 2512 @Base_1DS1.exe 2500 dialer.exe 2500 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: 35 2592 3B9A.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2292 2512 @Base_1DS1.exe 29 PID 2512 wrote to memory of 2292 2512 @Base_1DS1.exe 29 PID 2512 wrote to memory of 2292 2512 @Base_1DS1.exe 29 PID 2292 wrote to memory of 2592 2292 3B9A.exe 30 PID 2292 wrote to memory of 2592 2292 3B9A.exe 30 PID 2292 wrote to memory of 2592 2292 3B9A.exe 30 PID 2512 wrote to memory of 2500 2512 @Base_1DS1.exe 31 PID 2512 wrote to memory of 2500 2512 @Base_1DS1.exe 31 PID 2512 wrote to memory of 2500 2512 @Base_1DS1.exe 31 PID 2512 wrote to memory of 2500 2512 @Base_1DS1.exe 31 PID 2512 wrote to memory of 2500 2512 @Base_1DS1.exe 31 PID 2592 wrote to memory of 2764 2592 3B9A.exe 34 PID 2592 wrote to memory of 2764 2592 3B9A.exe 34 PID 2592 wrote to memory of 2764 2592 3B9A.exe 34 PID 2764 wrote to memory of 2348 2764 cmd.exe 36 PID 2764 wrote to memory of 2348 2764 cmd.exe 36 PID 2764 wrote to memory of 2348 2764 cmd.exe 36 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37 PID 2592 wrote to memory of 1764 2592 3B9A.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\@Base_1DS1.exe"C:\Users\Admin\AppData\Local\Temp\@Base_1DS1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\ProgramData\3B9A.exe"C:\ProgramData\3B9A.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\ProgramData\3B9A.exe"C:\ProgramData\3B9A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Steam_ /t REG_SZ /d "C:\ProgramData\3B9A.exe""5⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Steam_ /t REG_SZ /d "C:\ProgramData\3B9A.exe"6⤵
- Adds Run key to start application
- Modifies registry key
PID:2348
-
-
-
C:\Windows\System32\mstsc.exeC:\\Windows\\System32\\mstsc.exe5⤵PID:1764
-
-
-
-
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5cff2853943dd4924b6b505f5c6e6490e
SHA14f222e3a33b0393acea4aacece0fcf147649e970
SHA256541129c0c29a07340227757d55fc614b402a4ecf4417dc454e7230a96ea46ec4
SHA51234c95aecdf87c87cf42ad76014b2df12679af8368dbf0a4e0022bb8d0af26914d335c7549bcb6f029d32bc1f562ffc2061bd152f2fecdbbd4f797b65eb434642
-
Filesize
3.8MB
MD5283fbc79efff21d0c74cef64909e7262
SHA12a3e44c8a929f4d4f1ceb59cfa6d177e0f414766
SHA2562514be7201cd7237e9b54e3e1a6841a3378ef99b47e65ca299a0780f0a297f00
SHA512b969e1ce9355d88fb60c36e74db681539451ef8416c33099d09cfe017f9f40769d53b6c8fe8233811100b7fdb65d6c761e86822736075299683714791c29c741
-
Filesize
85KB
MD589a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
Filesize
129KB
MD55e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16
-
Filesize
38KB
MD5b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
Filesize
1000KB
MD58386cf8add72bab03573064b6e1d89d2
SHA1c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA2562eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA5122bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2
-
Filesize
3.1MB
MD5c830faae6728caf093483ac4105d50f9
SHA1f5e4a9fd084460b1be16843db5299b6a95e719e3
SHA256eeeb025b8ce9a54a0185c70e1c016890482872a8174297d13f3c97bc48e7fab8
SHA512fa15fd4ef4e0bacd29719508650c20a6842cc0f79e8933d25aafe9060fad72a2fc3c25b496a1b78996651d85420d225238235af2be0bab2d037e3d81bfe5ae5e
-
Filesize
3.2MB
MD56b9bb1750852de0a6a3021a6c3ae67ca
SHA18d5f8f8f8d9f2cc445c0033ab32f50a911d3c5f2
SHA25618391eaef58605b0d96b03c3bb955293fdeade549c50ec0c66c14e69166f53f8
SHA5120c49e341f87bdd76f1a7c171791fb941e26866176d9ee9b8edd6ce953fdbb4cfe7d10bbaf4dc4c96697f6c688f84d3b54f644b1c2d370628f954c917601d48d0
-
Filesize
5.0MB
MD59e64372324a477d1f173271014d250e2
SHA127b02f93fad45807198fea1c308cb78f10c7d13b
SHA256a218ef4ec9855196da855d5d0e2f9a91a592916b19d856ca167eea0c29163c50
SHA512303ae24e2833f00be95ed968091084af33ca61f6e4911486f886cfcc1fd7235c124989823aab06c7deeb535624f049da3c72864b54c93bb215ef65eab61285c8
-
Filesize
3.5MB
MD5a6be87ac1753b29b8136a2c956233709
SHA1165d6ee4d60b22b931f94472543b16e76a2ffa4e
SHA256b44b0a70fdd1c648a8b5bf712c0fdd5798b8debb702d6516de010e30f7c71f4e
SHA51206f83910f01494e79f8eb2a47bda563d1100932f20e3c851441f48c82214b82496910d3b0bd84d62cc48ec923d2fafab86073953de05a1a390c96443abe8f2ef
-
Filesize
2.2MB
MD5a6ca65e8c4740027925284487bb4ca0d
SHA1dc4da332a4d30117685987a5de01c66d32d3723a
SHA256ae95142e6c7daee4dc322dfed32af026a2937b18aabd005f83e08e8328502902
SHA51277d3bb4c00a6dd50fb306617860ee4acef19ccc35f009dbf25be97e1cfd2603801d880dc809691a8faed19339c9714188278c7ea11b940b953af3eb6ec69c56b
-
Filesize
1.7MB
MD582b313ee9de6aafe4bc485c3f5bc8410
SHA14b956b46740e788c5cbea9121ce876014a126efb
SHA2565dd1fabce301d67c3bd91a6799bebb1d43b32dfeaa9debbd817c6c99254b14d5
SHA51245296d2ff9f95ef04ef6e506d026d9158364bf084e84b9ebcc6a13fe6a4a2dd85d01ccef266a77c6edd1fdb8993ab30adb2b1474725dbc8c50141dab9859c728