Analysis
-
max time kernel
454s -
max time network
1177s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetup.exe
Resource
win10-20240319-en
Behavioral task
behavioral2
Sample
ChromeSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ChromeSetup.exe
Resource
win11-20240221-en
General
-
Target
ChromeSetup.exe
-
Size
1.0MB
-
MD5
2366f34130db5f39d0d5255782974392
-
SHA1
6323dd08850cdea997298f91f74078cf0c8e78a2
-
SHA256
9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
-
SHA512
e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803
-
SSDEEP
12288:zN7PaOir036Rc10z4JXP+H6oZjkg6aYGCPYx+f7W7ufszMIRVRHqz7Iqse4sIQeI:zN7JE0Q60zOWHrYgsGCT7nfKJTe1NTp
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Donations.pifdescription pid Process procid_target PID 1860 created 2456 1860 Donations.pif 50 -
Executes dropped EXE 1 IoCs
Processes:
Donations.pifpid Process 1860 Donations.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4172 1860 WerFault.exe 86 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 756 tasklist.exe 1980 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Donations.pifdialer.exepid Process 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif 780 dialer.exe 780 dialer.exe 780 dialer.exe 780 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 756 tasklist.exe Token: SeDebugPrivilege 1980 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Donations.pifpid Process 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Donations.pifpid Process 1860 Donations.pif 1860 Donations.pif 1860 Donations.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ChromeSetup.execmd.exeDonations.pifdescription pid Process procid_target PID 3376 wrote to memory of 3808 3376 ChromeSetup.exe 76 PID 3376 wrote to memory of 3808 3376 ChromeSetup.exe 76 PID 3376 wrote to memory of 3808 3376 ChromeSetup.exe 76 PID 3808 wrote to memory of 756 3808 cmd.exe 78 PID 3808 wrote to memory of 756 3808 cmd.exe 78 PID 3808 wrote to memory of 756 3808 cmd.exe 78 PID 3808 wrote to memory of 4292 3808 cmd.exe 79 PID 3808 wrote to memory of 4292 3808 cmd.exe 79 PID 3808 wrote to memory of 4292 3808 cmd.exe 79 PID 3808 wrote to memory of 1980 3808 cmd.exe 81 PID 3808 wrote to memory of 1980 3808 cmd.exe 81 PID 3808 wrote to memory of 1980 3808 cmd.exe 81 PID 3808 wrote to memory of 3964 3808 cmd.exe 82 PID 3808 wrote to memory of 3964 3808 cmd.exe 82 PID 3808 wrote to memory of 3964 3808 cmd.exe 82 PID 3808 wrote to memory of 460 3808 cmd.exe 83 PID 3808 wrote to memory of 460 3808 cmd.exe 83 PID 3808 wrote to memory of 460 3808 cmd.exe 83 PID 3808 wrote to memory of 3364 3808 cmd.exe 84 PID 3808 wrote to memory of 3364 3808 cmd.exe 84 PID 3808 wrote to memory of 3364 3808 cmd.exe 84 PID 3808 wrote to memory of 2120 3808 cmd.exe 85 PID 3808 wrote to memory of 2120 3808 cmd.exe 85 PID 3808 wrote to memory of 2120 3808 cmd.exe 85 PID 3808 wrote to memory of 1860 3808 cmd.exe 86 PID 3808 wrote to memory of 1860 3808 cmd.exe 86 PID 3808 wrote to memory of 1860 3808 cmd.exe 86 PID 3808 wrote to memory of 3884 3808 cmd.exe 87 PID 3808 wrote to memory of 3884 3808 cmd.exe 87 PID 3808 wrote to memory of 3884 3808 cmd.exe 87 PID 1860 wrote to memory of 780 1860 Donations.pif 88 PID 1860 wrote to memory of 780 1860 Donations.pif 88 PID 1860 wrote to memory of 780 1860 Donations.pif 88 PID 1860 wrote to memory of 780 1860 Donations.pif 88 PID 1860 wrote to memory of 780 1860 Donations.pif 88
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2456
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:4292
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 165623⤵PID:460
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16562\Donations.pif3⤵PID:3364
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Src + Expressions + Safari + Treasury 16562\x3⤵PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif16562\Donations.pif 16562\x3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 9684⤵
- Program crash
PID:4172
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3884
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 18601⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
512KB
MD50d1d68f4d9d55edd7571fd468140fcfc
SHA14c4607b45637b299032a407682c9d2a844bed807
SHA2564544412b19ad66f0ff8396d178da58557f4826289ed3c802338e45e51d3d99a7
SHA5128be744f4c51bb6401f20ef1f87ddb68599a88e601bd07452f0270848fc7aa5e5fe5720dc22954fe782714040a286ccf2e39f220b301ddb7a766faddabfc5bc70
-
Filesize
870KB
MD5a91c6eadc37c8082fcd0d8fd1762b8fe
SHA173ce49f75160ed5dafb1b8483111f5d383e919c2
SHA2564b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA5120a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8
-
Filesize
13KB
MD5b51276964bb7d7ced0ca782c1505d9ca
SHA1961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA25655cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547
-
Filesize
280KB
MD5d63c5479fd18f86817d489744a338751
SHA182385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA2563f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361
-
Filesize
139KB
MD5569505062321992f4e2803461c40e724
SHA1b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA5122d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd
-
Filesize
278KB
MD56ff11c454a1191120b1f963b120ae6b1
SHA19476d445caccd7a725836c102154e4ba17cbc969
SHA256b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754
-
Filesize
221KB
MD5ec92f2e791b5ca001d95fdd601cd73b3
SHA14aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA5126a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b
-
Filesize
101KB
MD52e6d79912a858f8e13ce1384b18495d1
SHA1a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5
-
Filesize
214KB
MD50d90f78364d6b146463b6238e692b0f9
SHA1241f0eec297841a66f19e29d322533dc59088272
SHA256ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610
-
Filesize
224KB
MD5bca8514ec872114f197260671806ec5d
SHA1b61846c56e14ed5e819050bd638a49505133889b
SHA256862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA5123a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b
-
Filesize
154KB
MD53443eaa164d930308366fbc11d04c2fc
SHA19470e59283644f44d76ecb945c394d43bb09e15e
SHA2566fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA5127ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a
-
Filesize
131KB
MD5aa48266704d06ef9043c5521d52fddd0
SHA137754ad688f17e227ba8028efe9127d15c08b922
SHA2565970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840