Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
27-03-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Install.rar
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
Install.rar
Resource
win10v2004-20240226-en
General
-
Target
Install.rar
-
Size
61.4MB
-
MD5
5f7f0719185c557e89ebc334ad5c9765
-
SHA1
90d9c887a28e4505ae6c011de64740e397a515ed
-
SHA256
665b6767c9cbac7ece13f2d205e778d2a1fa07d650e858743ae8e28ffc7d161d
-
SHA512
ecdcf5ec5e6c49f666acad82e9a117438a18d05740c759f1f21a8033e964124591043a0cb856b2b09a8a828d208b7671842149fbe108f851a30e284f31e0c585
-
SSDEEP
1572864:gW1mazO3YnHg9XkE0A6tETkE8+Zeq3bR5uVIRQidat:gWEYHg9Xb0qTkE77/uVIRQIY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 2288 created 2692 2288 RegAsm.exe 51 -
Executes dropped EXE 1 IoCs
Processes:
Install.exepid Process 4836 Install.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Install.exedescription pid Process procid_target PID 4836 set thread context of 2288 4836 Install.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 2140 4836 WerFault.exe 81 1596 2288 WerFault.exe 83 4564 2288 WerFault.exe 83 -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid Process 2288 RegAsm.exe 2288 RegAsm.exe 1544 dialer.exe 1544 dialer.exe 1544 dialer.exe 1544 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 2972 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid Process Token: SeRestorePrivilege 2972 7zFM.exe Token: 35 2972 7zFM.exe Token: SeSecurityPrivilege 2972 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 2972 7zFM.exe 2972 7zFM.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exeInstall.exeRegAsm.exedescription pid Process procid_target PID 2772 wrote to memory of 2972 2772 cmd.exe 76 PID 2772 wrote to memory of 2972 2772 cmd.exe 76 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 4836 wrote to memory of 2288 4836 Install.exe 83 PID 2288 wrote to memory of 1544 2288 RegAsm.exe 86 PID 2288 wrote to memory of 1544 2288 RegAsm.exe 86 PID 2288 wrote to memory of 1544 2288 RegAsm.exe 86 PID 2288 wrote to memory of 1544 2288 RegAsm.exe 86 PID 2288 wrote to memory of 1544 2288 RegAsm.exe 86
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2692
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Install.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Install.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2972
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 6083⤵
- Program crash
PID:1596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 6163⤵
- Program crash
PID:4564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 8042⤵
- Program crash
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD5e40eaf172baa952af63da4afc6b8a9e3
SHA1a9cbc97a377d8ff56bfe98311bd22908ae36e71f
SHA2567beb7853a6d9de5ca7e8b0e759e1a643d18584e2a04979d75d9cfd28011aec8c
SHA51262b8fc5680d8e27c9f9fe5376b3bddfb9204ff1e1f25e6ecf92d9d90d9dec33f27bf89be1f41e82414cd1353d9f63273b6720562ec46f3c29d0ef8775fe1db4f