Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
@Base_1DS1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
@Base_1DS1.exe
Resource
win10v2004-20231215-en
General
-
Target
@Base_1DS1.exe
-
Size
1.7MB
-
MD5
59502d555c1b2e38b3f99a80528993c0
-
SHA1
156d99645955a3f043c5451c6b24c3fea29f50fa
-
SHA256
bf267c00c95c56860c6ebf052f927d0237be3b4499ad58d2a71449ff06a9ce5f
-
SHA512
b31afefa0506483dec837cbfc0edfcfec52be9578d9e7d884877ece26a3bd6612e7e658467b3a93ab84bd4d710c9fd3ee7afbb66e7b63c3ab080cc8137ebfc61
-
SSDEEP
768:RQocZtO77mXVX8tLfcFY9Wshk458P/qqhdaahRLSqh3jHj8Yi6+PxWEKmwgDU9zw:G1n3FCjk4c87FPx97YzvY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2656 created 2532 2656 @Base_1DS1.exe 28 -
Executes dropped EXE 2 IoCs
pid Process 3856 A160.exe 3928 A160.exe -
Loads dropped DLL 5 IoCs
pid Process 3928 A160.exe 3928 A160.exe 3928 A160.exe 3928 A160.exe 3928 A160.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam_ = "C:\\ProgramData\\A160.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3928 set thread context of 4872 3928 A160.exe 101 -
Detects Pyinstaller 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023112-2.dat pyinstaller behavioral2/files/0x0007000000023112-3.dat pyinstaller behavioral2/files/0x0007000000023112-17.dat pyinstaller -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2060 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2656 @Base_1DS1.exe 2656 @Base_1DS1.exe 4716 dialer.exe 4716 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: 35 3928 A160.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2656 wrote to memory of 3856 2656 @Base_1DS1.exe 84 PID 2656 wrote to memory of 3856 2656 @Base_1DS1.exe 84 PID 3856 wrote to memory of 3928 3856 A160.exe 85 PID 3856 wrote to memory of 3928 3856 A160.exe 85 PID 2656 wrote to memory of 4716 2656 @Base_1DS1.exe 86 PID 2656 wrote to memory of 4716 2656 @Base_1DS1.exe 86 PID 2656 wrote to memory of 4716 2656 @Base_1DS1.exe 86 PID 2656 wrote to memory of 4716 2656 @Base_1DS1.exe 86 PID 3928 wrote to memory of 324 3928 A160.exe 98 PID 3928 wrote to memory of 324 3928 A160.exe 98 PID 324 wrote to memory of 2060 324 cmd.exe 100 PID 324 wrote to memory of 2060 324 cmd.exe 100 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101 PID 3928 wrote to memory of 4872 3928 A160.exe 101
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2532
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\@Base_1DS1.exe"C:\Users\Admin\AppData\Local\Temp\@Base_1DS1.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\ProgramData\A160.exe"C:\ProgramData\A160.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\ProgramData\A160.exe"C:\ProgramData\A160.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Steam_ /t REG_SZ /d "C:\ProgramData\A160.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Steam_ /t REG_SZ /d "C:\ProgramData\A160.exe"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2060
-
-
-
C:\Windows\System32\mstsc.exeC:\\Windows\\System32\\mstsc.exe4⤵PID:4872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD51a9d5e0f653ba4febd116aac3acede80
SHA16f50831d6f82c486395320cd1742167547254a14
SHA256fc4202dfed94bca2c33a4d5a5b9184cf91a7af6a7ca648326465bdcb67202076
SHA512371bb1f07aec9c6556bc84a1f18c96f768a053939876f4ea62a1f5f782f82bbe82f1a7a5bc1a2eb914b268741690429ab94dea285d6d445c1ca6a30da8ac4cb2
-
Filesize
2.0MB
MD51e421f397e353a129cc8cc17e15acdb2
SHA1aa8e1b66aa98e534cb4f27bec1f953ced478edb3
SHA25621f4f7351aa2581f19d1dd84bc2afa95fa9a2cb68c864bff6c5514fe6bf2f512
SHA512daf99456f55069cd7120d0dcaeff666190c4625076d96c7f9bdd99701d1993f0e44be0db4c232a713859820ca76b36d73e77f26b94148e3d26c83d985351e4b8
-
Filesize
1.7MB
MD5eaf3cd92da3d96a05ed3a321f18a70b9
SHA130d1888d0c9041a03060000d55d365473e980473
SHA256c2aaba77053a06e92ec5e3d28fe752bd9a9e1e097de04a96a271eeaabf8edfb7
SHA5122e75868f498ebb898e8b9128f659c0286efdc782cb932e11586896857c737b8482cf2b3e99eaa543878dc6f81b2755ea84126d46b21fe30c70ed7a9b81bde6bc
-
Filesize
64KB
MD56760de542daeaa3eda50af589fc4ab16
SHA14e32411e7ad25e33277b52d6d8e3ab7f1e0beb3f
SHA256f173d56365bf503e94884ee6df41c40a4feec2267ec022352f9b840fc406e017
SHA51273a87532257d750c94edaf0d862ea052181d027eb1041a0490c8e0402d4d5e5e0772ea821bbf2c7163a219ffe071b647417053954d2662ce5b8bfa9befedca04
-
Filesize
85KB
MD589a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
Filesize
129KB
MD55e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16
-
Filesize
38KB
MD5b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
Filesize
1000KB
MD58386cf8add72bab03573064b6e1d89d2
SHA1c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA2562eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA5122bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2
-
Filesize
1.7MB
MD5c366bda8e33436c6ca876608870ff9db
SHA1af7c6aebd8237e30ef27f14925ea0faecb450dd2
SHA25667881677f7f6c3cbaa37a7eefa6938bfd9cfdc00b42b5ef7afc21a02841998dc
SHA5128af2d7099c76738ac2b0b1d9b7c01f2c087c105e5e033e85134482063037cba25e008c7925fc251fd3663b822827daf99ab8624d618a22889cd60fc9ef19c7c4
-
Filesize
1.2MB
MD5340787e0f0cc87e460285a2306df3464
SHA148e4bc1bee6e5f77245d0fa72c3afddee9dbab6b
SHA2561aeb1a289349743f1ffbf6922126f3d407723d07c5516f56522ccd007d97018a
SHA512c92b1e9930b897934c5c4c5bc14a9deca457dda4598105cefdfdf830e1b4892d68b1d5acee009d9d5d867a6a76d32adc0b33607a8d69924dba3dcc52e2ab7d93
-
Filesize
3.6MB
MD5c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
Filesize
817KB
MD53b1c67424a37dab33363780be65f795e
SHA136ed1ec6061d803752a74bc72055c51aa2ff9e5f
SHA25641dfbcd0eed8dc96b35956ea3503b208bcb248e474c8d80f4f8797ec46857055
SHA512505f697597d8a1bf30b8eb85d863923eaefc202e0481130542585dd04af935bb928b4dac8abff551a9255a28e2955a9f49801429d9e21afb4c4d450ae7b76728