Analysis

  • max time kernel
    315s
  • max time network
    888s
  • platform
    windows10-1703_x64
  • resource
    win10-20240319-en
  • resource tags

    arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2024 03:20

General

  • Target

    ChromeSetup.exe

  • Size

    1.0MB

  • MD5

    2366f34130db5f39d0d5255782974392

  • SHA1

    6323dd08850cdea997298f91f74078cf0c8e78a2

  • SHA256

    9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef

  • SHA512

    e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803

  • SSDEEP

    12288:zN7PaOir036Rc10z4JXP+H6oZjkg6aYGCPYx+f7W7ufszMIRVRHqz7Iqse4sIQeI:zN7JE0Q60zOWHrYgsGCT7nfKJTe1NTp

Score
10/10

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3144
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4628
    • C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:192
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:5020
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            3⤵
              PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 16592
              3⤵
                PID:3776
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16592\Donations.pif
                3⤵
                  PID:4112
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Src + Expressions + Safari + Treasury 16592\x
                  3⤵
                    PID:2564
                  • C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
                    16592\Donations.pif 16592\x
                    3⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:3896
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 832
                      4⤵
                      • Program crash
                      PID:4176
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    3⤵
                    • Runs ping.exe
                    PID:1260

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif

                Filesize

                872KB

                MD5

                6ee7ddebff0a2b78c7ac30f6e00d1d11

                SHA1

                f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                SHA256

                865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                SHA512

                57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

              • C:\Users\Admin\AppData\Local\Temp\16592\x

                Filesize

                870KB

                MD5

                a91c6eadc37c8082fcd0d8fd1762b8fe

                SHA1

                73ce49f75160ed5dafb1b8483111f5d383e919c2

                SHA256

                4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69

                SHA512

                0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8

              • C:\Users\Admin\AppData\Local\Temp\Bathrooms

                Filesize

                13KB

                MD5

                b51276964bb7d7ced0ca782c1505d9ca

                SHA1

                961d8f2ed348d6bfe38f109e97ab8b55db14591c

                SHA256

                55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403

                SHA512

                fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547

              • C:\Users\Admin\AppData\Local\Temp\Compound

                Filesize

                280KB

                MD5

                d63c5479fd18f86817d489744a338751

                SHA1

                82385a52bb5485fab0a3d1e7f9a3661bf35d3098

                SHA256

                3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037

                SHA512

                da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361

              • C:\Users\Admin\AppData\Local\Temp\Emotions

                Filesize

                139KB

                MD5

                569505062321992f4e2803461c40e724

                SHA1

                b62f7987f92b4397b02b6894e759096fdee1f7db

                SHA256

                748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434

                SHA512

                2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd

              • C:\Users\Admin\AppData\Local\Temp\Expressions

                Filesize

                278KB

                MD5

                6ff11c454a1191120b1f963b120ae6b1

                SHA1

                9476d445caccd7a725836c102154e4ba17cbc969

                SHA256

                b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898

                SHA512

                fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754

              • C:\Users\Admin\AppData\Local\Temp\Injection

                Filesize

                221KB

                MD5

                ec92f2e791b5ca001d95fdd601cd73b3

                SHA1

                4aec16ee635e9eea9732a45d79f9ab8393e966fa

                SHA256

                ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179

                SHA512

                6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b

              • C:\Users\Admin\AppData\Local\Temp\Participants

                Filesize

                101KB

                MD5

                2e6d79912a858f8e13ce1384b18495d1

                SHA1

                a509ff203fcd463cc11ec1ebbe5cee251a2d3c04

                SHA256

                a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace

                SHA512

                707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5

              • C:\Users\Admin\AppData\Local\Temp\Safari

                Filesize

                214KB

                MD5

                0d90f78364d6b146463b6238e692b0f9

                SHA1

                241f0eec297841a66f19e29d322533dc59088272

                SHA256

                ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540

                SHA512

                169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610

              • C:\Users\Admin\AppData\Local\Temp\Src

                Filesize

                224KB

                MD5

                bca8514ec872114f197260671806ec5d

                SHA1

                b61846c56e14ed5e819050bd638a49505133889b

                SHA256

                862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5

                SHA512

                3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b

              • C:\Users\Admin\AppData\Local\Temp\Treasury

                Filesize

                154KB

                MD5

                3443eaa164d930308366fbc11d04c2fc

                SHA1

                9470e59283644f44d76ecb945c394d43bb09e15e

                SHA256

                6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b

                SHA512

                7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a

              • C:\Users\Admin\AppData\Local\Temp\Worm

                Filesize

                131KB

                MD5

                aa48266704d06ef9043c5521d52fddd0

                SHA1

                37754ad688f17e227ba8028efe9127d15c08b922

                SHA256

                5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444

                SHA512

                017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840

              • memory/3896-32-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-39-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

                Filesize

                1.9MB

              • memory/3896-27-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-28-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-29-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-31-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-25-0x0000000077941000-0x0000000077A54000-memory.dmp

                Filesize

                1.1MB

              • memory/3896-33-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-34-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-36-0x0000000005410000-0x000000000547D000-memory.dmp

                Filesize

                436KB

              • memory/3896-35-0x00000000064F0000-0x00000000068F0000-memory.dmp

                Filesize

                4.0MB

              • memory/3896-38-0x00000000064F0000-0x00000000068F0000-memory.dmp

                Filesize

                4.0MB

              • memory/3896-37-0x00000000064F0000-0x00000000068F0000-memory.dmp

                Filesize

                4.0MB

              • memory/3896-26-0x0000000000820000-0x0000000000821000-memory.dmp

                Filesize

                4KB

              • memory/3896-40-0x00000000064F0000-0x00000000068F0000-memory.dmp

                Filesize

                4.0MB

              • memory/3896-42-0x0000000076100000-0x00000000762C2000-memory.dmp

                Filesize

                1.8MB

              • memory/3896-48-0x00000000064F0000-0x00000000068F0000-memory.dmp

                Filesize

                4.0MB

              • memory/4628-45-0x0000000000660000-0x0000000000A60000-memory.dmp

                Filesize

                4.0MB

              • memory/4628-46-0x0000000000660000-0x0000000000A60000-memory.dmp

                Filesize

                4.0MB

              • memory/4628-43-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

                Filesize

                36KB

              • memory/4628-49-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

                Filesize

                1.9MB

              • memory/4628-50-0x0000000000660000-0x0000000000A60000-memory.dmp

                Filesize

                4.0MB

              • memory/4628-52-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

                Filesize

                1.9MB

              • memory/4628-53-0x0000000076100000-0x00000000762C2000-memory.dmp

                Filesize

                1.8MB

              • memory/4628-54-0x0000000000660000-0x0000000000A60000-memory.dmp

                Filesize

                4.0MB