Analysis

  • max time kernel
    1195s
  • max time network
    1204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 03:20

General

  • Target

    ChromeSetup.exe

  • Size

    1.0MB

  • MD5

    2366f34130db5f39d0d5255782974392

  • SHA1

    6323dd08850cdea997298f91f74078cf0c8e78a2

  • SHA256

    9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef

  • SHA512

    e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803

  • SSDEEP

    12288:zN7PaOir036Rc10z4JXP+H6oZjkg6aYGCPYx+f7W7ufszMIRVRHqz7Iqse4sIQeI:zN7JE0Q60zOWHrYgsGCT7nfKJTe1NTp

Score
10/10

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2524
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3096
    • C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4444
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:4684
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            3⤵
              PID:3096
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 16582
              3⤵
                PID:2276
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16582\Donations.pif
                3⤵
                  PID:4144
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Src + Expressions + Safari + Treasury 16582\x
                  3⤵
                    PID:4564
                  • C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
                    16582\Donations.pif 16582\x
                    3⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:1916
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936
                      4⤵
                      • Program crash
                      PID:4736
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    3⤵
                    • Runs ping.exe
                    PID:3304
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1916 -ip 1916
                1⤵
                  PID:1836
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:712
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:4708

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif

                      Filesize

                      872KB

                      MD5

                      6ee7ddebff0a2b78c7ac30f6e00d1d11

                      SHA1

                      f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                      SHA256

                      865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                      SHA512

                      57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

                    • C:\Users\Admin\AppData\Local\Temp\16582\x

                      Filesize

                      870KB

                      MD5

                      a91c6eadc37c8082fcd0d8fd1762b8fe

                      SHA1

                      73ce49f75160ed5dafb1b8483111f5d383e919c2

                      SHA256

                      4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69

                      SHA512

                      0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8

                    • C:\Users\Admin\AppData\Local\Temp\Bathrooms

                      Filesize

                      13KB

                      MD5

                      b51276964bb7d7ced0ca782c1505d9ca

                      SHA1

                      961d8f2ed348d6bfe38f109e97ab8b55db14591c

                      SHA256

                      55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403

                      SHA512

                      fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547

                    • C:\Users\Admin\AppData\Local\Temp\Compound

                      Filesize

                      280KB

                      MD5

                      d63c5479fd18f86817d489744a338751

                      SHA1

                      82385a52bb5485fab0a3d1e7f9a3661bf35d3098

                      SHA256

                      3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037

                      SHA512

                      da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361

                    • C:\Users\Admin\AppData\Local\Temp\Emotions

                      Filesize

                      139KB

                      MD5

                      569505062321992f4e2803461c40e724

                      SHA1

                      b62f7987f92b4397b02b6894e759096fdee1f7db

                      SHA256

                      748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434

                      SHA512

                      2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd

                    • C:\Users\Admin\AppData\Local\Temp\Expressions

                      Filesize

                      278KB

                      MD5

                      6ff11c454a1191120b1f963b120ae6b1

                      SHA1

                      9476d445caccd7a725836c102154e4ba17cbc969

                      SHA256

                      b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898

                      SHA512

                      fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754

                    • C:\Users\Admin\AppData\Local\Temp\Injection

                      Filesize

                      221KB

                      MD5

                      ec92f2e791b5ca001d95fdd601cd73b3

                      SHA1

                      4aec16ee635e9eea9732a45d79f9ab8393e966fa

                      SHA256

                      ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179

                      SHA512

                      6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b

                    • C:\Users\Admin\AppData\Local\Temp\Participants

                      Filesize

                      101KB

                      MD5

                      2e6d79912a858f8e13ce1384b18495d1

                      SHA1

                      a509ff203fcd463cc11ec1ebbe5cee251a2d3c04

                      SHA256

                      a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace

                      SHA512

                      707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5

                    • C:\Users\Admin\AppData\Local\Temp\Safari

                      Filesize

                      214KB

                      MD5

                      0d90f78364d6b146463b6238e692b0f9

                      SHA1

                      241f0eec297841a66f19e29d322533dc59088272

                      SHA256

                      ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540

                      SHA512

                      169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610

                    • C:\Users\Admin\AppData\Local\Temp\Src

                      Filesize

                      224KB

                      MD5

                      bca8514ec872114f197260671806ec5d

                      SHA1

                      b61846c56e14ed5e819050bd638a49505133889b

                      SHA256

                      862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5

                      SHA512

                      3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b

                    • C:\Users\Admin\AppData\Local\Temp\Treasury

                      Filesize

                      154KB

                      MD5

                      3443eaa164d930308366fbc11d04c2fc

                      SHA1

                      9470e59283644f44d76ecb945c394d43bb09e15e

                      SHA256

                      6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b

                      SHA512

                      7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a

                    • C:\Users\Admin\AppData\Local\Temp\Worm

                      Filesize

                      131KB

                      MD5

                      aa48266704d06ef9043c5521d52fddd0

                      SHA1

                      37754ad688f17e227ba8028efe9127d15c08b922

                      SHA256

                      5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444

                      SHA512

                      017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840

                    • memory/1916-32-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-38-0x0000000005C60000-0x0000000006060000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/1916-27-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-28-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-29-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-31-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-25-0x0000000077D31000-0x0000000077E51000-memory.dmp

                      Filesize

                      1.1MB

                    • memory/1916-33-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-34-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-35-0x0000000005C60000-0x0000000006060000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/1916-36-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

                      Filesize

                      436KB

                    • memory/1916-26-0x0000000000B20000-0x0000000000B21000-memory.dmp

                      Filesize

                      4KB

                    • memory/1916-37-0x0000000005C60000-0x0000000006060000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/1916-39-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

                      Filesize

                      2.0MB

                    • memory/1916-40-0x0000000005C60000-0x0000000006060000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/1916-42-0x0000000075DF0000-0x0000000076005000-memory.dmp

                      Filesize

                      2.1MB

                    • memory/1916-53-0x0000000005C60000-0x0000000006060000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3096-45-0x0000000002730000-0x0000000002B30000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3096-46-0x0000000002730000-0x0000000002B30000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3096-48-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

                      Filesize

                      2.0MB

                    • memory/3096-50-0x0000000002730000-0x0000000002B30000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3096-51-0x0000000075DF0000-0x0000000076005000-memory.dmp

                      Filesize

                      2.1MB

                    • memory/3096-52-0x0000000002730000-0x0000000002B30000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3096-43-0x0000000000A20000-0x0000000000A29000-memory.dmp

                      Filesize

                      36KB