Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
connection1503.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
connection1503.exe
Resource
win10v2004-20240226-en
General
-
Target
connection1503.exe
-
Size
43.9MB
-
MD5
43430554370c916d462360e4f99ce14e
-
SHA1
d8a319a2927bc70008d807f65c0b085424e17fde
-
SHA256
97ad9ec5accd668882437d7af85ed8c5228fb2f5ceb035ebd15a569eb10ee957
-
SHA512
38aa7550e1babd193e19967a175c3986daaa7366bcbe621893f6eda2250d80feff63f2c26ffe39d225e9f6186dcfe40e44fb653e25c5419cbbc2dc2f998bd6e1
-
SSDEEP
196608:vchI3nkY+Za8caFGzCQJ2xo3NDeZfMITDFAi7xz19Adyah/tv:0S3kYckaFgso3ND4VFAQz12dttv
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
BitLockerToGo.exedescription pid process target process PID 4900 created 2540 4900 BitLockerToGo.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
connection1503.exedescription pid process target process PID 1008 set thread context of 4900 1008 connection1503.exe BitLockerToGo.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4964 4900 WerFault.exe BitLockerToGo.exe 3092 4900 WerFault.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
BitLockerToGo.exedialer.exepid process 4900 BitLockerToGo.exe 4900 BitLockerToGo.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
connection1503.exeBitLockerToGo.exedescription pid process target process PID 1008 wrote to memory of 4900 1008 connection1503.exe BitLockerToGo.exe PID 1008 wrote to memory of 4900 1008 connection1503.exe BitLockerToGo.exe PID 1008 wrote to memory of 4900 1008 connection1503.exe BitLockerToGo.exe PID 1008 wrote to memory of 4900 1008 connection1503.exe BitLockerToGo.exe PID 1008 wrote to memory of 4900 1008 connection1503.exe BitLockerToGo.exe PID 4900 wrote to memory of 860 4900 BitLockerToGo.exe dialer.exe PID 4900 wrote to memory of 860 4900 BitLockerToGo.exe dialer.exe PID 4900 wrote to memory of 860 4900 BitLockerToGo.exe dialer.exe PID 4900 wrote to memory of 860 4900 BitLockerToGo.exe dialer.exe PID 4900 wrote to memory of 860 4900 BitLockerToGo.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\connection1503.exe"C:\Users\Admin\AppData\Local\Temp\connection1503.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 4243⤵
- Program crash
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 4403⤵
- Program crash
PID:3092
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 49001⤵PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4900 -ip 49001⤵PID:4912