Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe
Resource
win10v2004-20240319-en
General
-
Target
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe
-
Size
386KB
-
MD5
cfd2733ba128f49a373042a1a6c3fe19
-
SHA1
5782fffc3d9e4d815fa0ec6315c5f237edfb9ae9
-
SHA256
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28
-
SHA512
be1a9fae4148cd6b567903f8fe707c1812d2782c8a718f81f6d30240c498f1aa5419f5fc22a318727a07e0e232c1538209743a97b9c01e5f4a679462ac2819d8
-
SSDEEP
12288:DHKzTnUs8oF7lWrf4p0fM5kzzLsK8Qll6V:DqzTUvEjCfMiHYMoV
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 2068 created 2400 2068 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exedescription pid process target process PID 2484 set thread context of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2020 2484 WerFault.exe 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe 1984 2068 WerFault.exe RegAsm.exe 720 2068 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 2068 RegAsm.exe 2068 RegAsm.exe 2688 dialer.exe 2688 dialer.exe 2688 dialer.exe 2688 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exeRegAsm.exedescription pid process target process PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2484 wrote to memory of 2068 2484 5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe RegAsm.exe PID 2068 wrote to memory of 2688 2068 RegAsm.exe dialer.exe PID 2068 wrote to memory of 2688 2068 RegAsm.exe dialer.exe PID 2068 wrote to memory of 2688 2068 RegAsm.exe dialer.exe PID 2068 wrote to memory of 2688 2068 RegAsm.exe dialer.exe PID 2068 wrote to memory of 2688 2068 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2400
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe"C:\Users\Admin\AppData\Local\Temp\5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 5683⤵
- Program crash
PID:1984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 5843⤵
- Program crash
PID:720
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 8242⤵
- Program crash
PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2484 -ip 24841⤵PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2068 -ip 20681⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2068 -ip 20681⤵PID:3540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4968 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:81⤵PID:5020