Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
freedomOSU1.12.rar
Resource
win10v2004-20240226-en
General
-
Target
freedomOSU1.12.rar
-
Size
803KB
-
MD5
0c9c295b75d76525154f9fc03aefd0a2
-
SHA1
886e81bb6733cb9e33fb3c64bc9dbdfc96308419
-
SHA256
f6d3d9319fe42be572804cd30d6a562094d2c00899707a64425d034b26818d10
-
SHA512
bf9732cddc19162ac63f8cd030b19995b594303e79269eb1562947390c0c5902ad4c706313829262fa805274815b937a6e66527ce0c0d01e4154138c5e96e57d
-
SSDEEP
24576:Njfs5lXuT5cc+3sk/Vg4nc5sjAzicDW3lUTLjl:Njftt+3pgnSK2UTvl
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
freedom_loader.exefreedom_loader.exedescription pid process target process PID 1256 created 2472 1256 freedom_loader.exe sihost.exe PID 1664 created 2472 1664 freedom_loader.exe sihost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
freedom_loader.exefreedom_loader.exepid process 1256 freedom_loader.exe 1664 freedom_loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
freedom_loader.exedialer.exefreedom_loader.exedialer.exepid process 1256 freedom_loader.exe 1256 freedom_loader.exe 4032 dialer.exe 4032 dialer.exe 4032 dialer.exe 4032 dialer.exe 1664 freedom_loader.exe 1664 freedom_loader.exe 1348 dialer.exe 1348 dialer.exe 1348 dialer.exe 1348 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2892 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2892 7zFM.exe Token: 35 2892 7zFM.exe Token: SeSecurityPrivilege 2892 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid process 2892 7zFM.exe 2892 7zFM.exe 2892 7zFM.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exefreedom_loader.exefreedom_loader.exedescription pid process target process PID 628 wrote to memory of 2892 628 cmd.exe 7zFM.exe PID 628 wrote to memory of 2892 628 cmd.exe 7zFM.exe PID 1256 wrote to memory of 4032 1256 freedom_loader.exe dialer.exe PID 1256 wrote to memory of 4032 1256 freedom_loader.exe dialer.exe PID 1256 wrote to memory of 4032 1256 freedom_loader.exe dialer.exe PID 1256 wrote to memory of 4032 1256 freedom_loader.exe dialer.exe PID 1256 wrote to memory of 4032 1256 freedom_loader.exe dialer.exe PID 1664 wrote to memory of 1348 1664 freedom_loader.exe dialer.exe PID 1664 wrote to memory of 1348 1664 freedom_loader.exe dialer.exe PID 1664 wrote to memory of 1348 1664 freedom_loader.exe dialer.exe PID 1664 wrote to memory of 1348 1664 freedom_loader.exe dialer.exe PID 1664 wrote to memory of 1348 1664 freedom_loader.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2472
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\freedomOSU1.12.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\freedomOSU1.12.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2892
-
-
C:\Users\Admin\Desktop\freedom_loader.exe"C:\Users\Admin\Desktop\freedom_loader.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
-
C:\Users\Admin\Desktop\freedom_loader.exe"C:\Users\Admin\Desktop\freedom_loader.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD5bb84cc2853596d21a318576c4995fcce
SHA1477a224d5b4e398b34a978ac19def1cbafb211d3
SHA2566135bdbcfd9f824b3da0bef2ba73018a998967e20c5d0274c6a1c0433649b017
SHA512aa32be3d91bf6e2c8fed0d0e0407723466b477ab0d27c5d3cd705ac73365ab4c56de4f16d4786ee586e750d6835eba09775dbf5a93b0da0eaea4326f2fc2bd5c