Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
Installer (2).exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Installer (2).exe
Resource
win10v2004-20240226-en
General
-
Target
Installer (2).exe
-
Size
166.8MB
-
MD5
dc2cfdace871eb8499e326f155b01d63
-
SHA1
3eb3fb28d2fed92c45f32d3e24d347bc32dd456f
-
SHA256
2e1a346d13ae17dff86d8b824ec3b78e097827f67322c0c6175670db8c41303e
-
SHA512
b49fddcd033e953abbefa4ade4c69f6b96836cdfd70d197d5fbf9341cfa079c3b54dd50130bc697203d0e19124e35c13f33ac8a8adf111ce2143b1b48380c8cb
-
SSDEEP
1572864:4BRO09akMhGIrAVqO9uP2WP2QW4Ev7K2hPt:4XO0bIrahB2Ev7K2hPt
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
BitLockerToGo.exedescription pid Process procid_target PID 4596 created 2596 4596 BitLockerToGo.exe 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Installer (2).exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Installer (2).exe -
Executes dropped EXE 2 IoCs
Processes:
connection1503.exeupdate1503.exepid Process 4992 connection1503.exe 2348 update1503.exe -
Loads dropped DLL 3 IoCs
Processes:
Installer (2).exepid Process 4252 Installer (2).exe 4252 Installer (2).exe 4252 Installer (2).exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
update1503.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(1c1b225141144a7f5d8471014d922df5)update1503.exe = "C:\\Users\\Public\\AccountPictures\\(1c1b225141144a7f5d8471014d922df5)update1503.exe" update1503.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 84 ipinfo.io 20 api.ipify.org 21 api.ipify.org 83 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
connection1503.exeupdate1503.exedescription pid Process procid_target PID 4992 set thread context of 4596 4992 connection1503.exe 112 PID 2348 set thread context of 652 2348 update1503.exe 118 -
Drops file in Program Files directory 6 IoCs
Processes:
Installer (2).exedescription ioc Process File created C:\Program Files\microsoftgame\update1503.zip Installer (2).exe File created C:\Program Files\microsoftgame\update1503.exe Installer (2).exe File opened for modification C:\Program Files\microsoftgame\update1503.exe Installer (2).exe File created C:\Program Files\microsoftgame\connection1503.zip Installer (2).exe File created C:\Program Files\microsoftgame\connection1503.exe Installer (2).exe File opened for modification C:\Program Files\microsoftgame\connection1503.exe Installer (2).exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1080 4596 WerFault.exe 112 2116 4596 WerFault.exe 112 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeBitLockerToGo.exedialer.exeBitLockerToGo.exepid Process 2752 powershell.exe 2752 powershell.exe 2752 powershell.exe 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 3408 powershell.exe 3408 powershell.exe 796 powershell.exe 796 powershell.exe 3408 powershell.exe 796 powershell.exe 4596 BitLockerToGo.exe 4596 BitLockerToGo.exe 3488 dialer.exe 3488 dialer.exe 3488 dialer.exe 3488 dialer.exe 652 BitLockerToGo.exe 652 BitLockerToGo.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Installer (2).exepowershell.exepowershell.execonnection1503.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 4252 Installer (2).exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 4992 connection1503.exe Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 796 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Installer (2).exepid Process 4252 Installer (2).exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Installer (2).execonnection1503.exeBitLockerToGo.exeupdate1503.exedescription pid Process procid_target PID 4252 wrote to memory of 4548 4252 Installer (2).exe 98 PID 4252 wrote to memory of 4548 4252 Installer (2).exe 98 PID 4252 wrote to memory of 2752 4252 Installer (2).exe 99 PID 4252 wrote to memory of 2752 4252 Installer (2).exe 99 PID 4252 wrote to memory of 4992 4252 Installer (2).exe 104 PID 4252 wrote to memory of 4992 4252 Installer (2).exe 104 PID 4252 wrote to memory of 3408 4252 Installer (2).exe 105 PID 4252 wrote to memory of 3408 4252 Installer (2).exe 105 PID 4252 wrote to memory of 796 4252 Installer (2).exe 106 PID 4252 wrote to memory of 796 4252 Installer (2).exe 106 PID 4252 wrote to memory of 2348 4252 Installer (2).exe 111 PID 4252 wrote to memory of 2348 4252 Installer (2).exe 111 PID 4992 wrote to memory of 4596 4992 connection1503.exe 112 PID 4992 wrote to memory of 4596 4992 connection1503.exe 112 PID 4992 wrote to memory of 4596 4992 connection1503.exe 112 PID 4992 wrote to memory of 4596 4992 connection1503.exe 112 PID 4992 wrote to memory of 4596 4992 connection1503.exe 112 PID 4596 wrote to memory of 3488 4596 BitLockerToGo.exe 113 PID 4596 wrote to memory of 3488 4596 BitLockerToGo.exe 113 PID 4596 wrote to memory of 3488 4596 BitLockerToGo.exe 113 PID 4596 wrote to memory of 3488 4596 BitLockerToGo.exe 113 PID 4596 wrote to memory of 3488 4596 BitLockerToGo.exe 113 PID 2348 wrote to memory of 652 2348 update1503.exe 118 PID 2348 wrote to memory of 652 2348 update1503.exe 118 PID 2348 wrote to memory of 652 2348 update1503.exe 118 PID 2348 wrote to memory of 652 2348 update1503.exe 118 PID 2348 wrote to memory of 652 2348 update1503.exe 118 -
outlook_office_path 1 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe -
outlook_win_path 1 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2596
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\Installer (2).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Program Files\microsoftgame\connection1503.exe"C:\Program Files\microsoftgame\connection1503.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 4484⤵
- Program crash
PID:1080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 4244⤵
- Program crash
PID:2116
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Program Files\microsoftgame\update1503.exe"C:\Program Files\microsoftgame\update1503.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4596 -ip 45961⤵PID:5116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 45961⤵PID:4804
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.1MB
MD5e805962996160817b81d5851ac0efe64
SHA1d9cfca926d93576360f2bec2e0a1ae4bd05f3e69
SHA2562b45d2908e1e194d8fbd037b8f1bd4235ac1146eb1d7927e94631e1da8038684
SHA512c27dfad849a081b7e6b11d93ade474890d5ea38220e92dc090e082675470458cc62cb23dce59f5bde6148856c320aabb743cb59cf950a75e0e4a0ace90e2470f
-
Filesize
23.3MB
MD50d12580a46ba44883c4dbcd83700cfa0
SHA1760e448b1a568e262c681f463bebef781e2152b2
SHA256a32260f5dd057b844e6e96d19162809e9e774cddc6482c51692d63a4edf638a8
SHA5128c1cb27343848ac43fc13c46aea51c935b061a4b6629d1b6e67de20768a511431e376dcf21afdd7e0e06b3cf81aed62bc1264a095c7540a61638f04a51cb762d
-
Filesize
12.4MB
MD51c1b225141144a7f5d8471014d922df5
SHA185d73110c2ecbde1c06ae4adf11ab47335babc2e
SHA2569e12431b004e595078703b10fe7e69f8d47243e3cde9bec1caa1ed384aa0ae79
SHA5123a9d4816ffd298adec4fe786f18ec8a72301f61ebd89c4b561b6b8ef8ffb4e7efbcdcd6049c184b76596491e3248e49ce31fe95961268f911116c04f9041338c
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD51099dc40baabde4be41cc1faf6353f7d
SHA1345705c6b9adc64389b6d142e7484d0cdd4f2bd0
SHA2566cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40
SHA5126315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1
-
C:\Users\Admin\AppData\Local\Temp\.net\Installer (2)\a8aMwpSmSRiydchTZFml8SDbGi80c5Y=\D3DCompiler_47_cor3.dll
Filesize4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
C:\Users\Admin\AppData\Local\Temp\.net\Installer (2)\a8aMwpSmSRiydchTZFml8SDbGi80c5Y=\PresentationNative_cor3.dll
Filesize1.2MB
MD50c147149b444748dae0a04e2e3d3269a
SHA1f7edbcd6d1d6b199b6c997d6b781a794d736d3ff
SHA256e284235a4d6e5d905692351cdfe8bc42ed842df8e5a8eb42fde90d1c3e2e90fa
SHA512ec057829c03623cabc5a42ddebec9b75107f987eaf9cb642f3f1aed4d4c64c544f60a1dc7bc4208e025bce38c72091e615ac2fd9f1bd27651d49addcb0ae8b36
-
C:\Users\Admin\AppData\Local\Temp\.net\Installer (2)\a8aMwpSmSRiydchTZFml8SDbGi80c5Y=\wpfgfx_cor3.dll
Filesize1.9MB
MD52ca3138aeb800aefe337d433f1590213
SHA10bbbd04df098d88daac40f7eac8740c6b26607ee
SHA256053eee8408b8979a6cea211a5ee11a3f22b0090f8e6988013a79523aa25439cb
SHA51261151f56a403b327e3ac24fd34dc22baf5049cf3d97a5bca71aa0aa7d0c1f15fb0c6c4230b849ac2763a7f1a1d34c989f71c3201938833947934d46c34e801fe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
92KB
MD5d8258cfea30050e289acf9aa882159f2
SHA126acf382025e2880308c3cb82ee11b935f52d6fa
SHA25697f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b
SHA512caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a