Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
Resource
win10v2004-20240226-en
General
-
Target
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
-
Size
952KB
-
MD5
cce2ac8ae528606702c8d2766d9be0d7
-
SHA1
6f1607201e267058f27d58a912b9cfe5530996af
-
SHA256
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
-
SHA512
6b051e6dfeee15d3d6983e684ceb21bb321c093a68b4a7bb15973e3d1285b35fcc26dff359e4a94781a45a8cb08270faebd1b4737288b06f7cd372dbd14134d3
-
SSDEEP
12288:cfLoc2h3PJ5m641+zCSA2YhbPL5ApRMR0xTPVz2KbWXzvbhcrrRjyaQF1pAUlgZ+:cfLoc2FrClhhbsGiwbCfZwpAogF8Vxr3
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Colorado.pifdescription pid process target process PID 2728 created 1204 2728 Colorado.pif Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
Colorado.pifpid process 2728 Colorado.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2872 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2120 tasklist.exe 2576 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Colorado.pifdialer.exepid process 2728 Colorado.pif 2728 Colorado.pif 2728 Colorado.pif 2728 Colorado.pif 2728 Colorado.pif 2956 dialer.exe 2956 dialer.exe 2956 dialer.exe 2956 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2120 tasklist.exe Token: SeDebugPrivilege 2576 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Colorado.pifpid process 2728 Colorado.pif 2728 Colorado.pif 2728 Colorado.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Colorado.pifpid process 2728 Colorado.pif 2728 Colorado.pif 2728 Colorado.pif -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.execmd.exeColorado.pifdescription pid process target process PID 2924 wrote to memory of 2872 2924 ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe cmd.exe PID 2924 wrote to memory of 2872 2924 ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe cmd.exe PID 2924 wrote to memory of 2872 2924 ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe cmd.exe PID 2924 wrote to memory of 2872 2924 ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe cmd.exe PID 2872 wrote to memory of 2120 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2120 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2120 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2120 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2568 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2568 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2568 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2568 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2576 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2576 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2576 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2576 2872 cmd.exe tasklist.exe PID 2872 wrote to memory of 2888 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2888 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2888 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2888 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2884 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2884 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2884 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2884 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2716 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2716 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2716 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2716 2872 cmd.exe findstr.exe PID 2872 wrote to memory of 2648 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2648 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2648 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2648 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2564 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2564 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2564 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2564 2872 cmd.exe cmd.exe PID 2872 wrote to memory of 2728 2872 cmd.exe Colorado.pif PID 2872 wrote to memory of 2728 2872 cmd.exe Colorado.pif PID 2872 wrote to memory of 2728 2872 cmd.exe Colorado.pif PID 2872 wrote to memory of 2728 2872 cmd.exe Colorado.pif PID 2872 wrote to memory of 2440 2872 cmd.exe PING.EXE PID 2872 wrote to memory of 2440 2872 cmd.exe PING.EXE PID 2872 wrote to memory of 2440 2872 cmd.exe PING.EXE PID 2872 wrote to memory of 2440 2872 cmd.exe PING.EXE PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe PID 2728 wrote to memory of 2956 2728 Colorado.pif dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe"C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2568
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2888
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 28924⤵PID:2884
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FrancisIdeasRatsSas" Oven4⤵PID:2716
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 2892\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2892\Colorado.pif4⤵PID:2648
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Headquarters + Mv + Kinda + Ref 2892\K4⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif2892\Colorado.pif 2892\K4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2440
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30B
MD5f62787118cfd7060849bfb732ca4e71c
SHA1dda2061ff03f0e200d3790fb570243364d6f2788
SHA2565ac498f3e88a82c903c4203dd44d8ea449528dc194f4d66d6b8e594c71c5591c
SHA51245dcf25a6a7e0a39a69649e54b687ef633c87dca222f0473462d1a0e6e54be0e749662404dedad86feb6ae9fd6c98f719a6130b8bf616c205e5af3b856b0a27d
-
Filesize
864KB
MD5992086438ec4ff45677110d54caf1f70
SHA1e44b653431cb5094db4d4ac04325a7582cd5df90
SHA256607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6
SHA5129100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19
-
Filesize
256KB
MD52d292a074a6d19f926f3c70dd6ce64d1
SHA1fb764cd612a439185c7b43205f269a23827f394d
SHA256ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42
SHA5124107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569
-
Filesize
126KB
MD51b5abf179cee52cab937711b74cb2be0
SHA1e845151b7a14077094cdc91a00946057d9143af0
SHA256c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562
SHA512fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38
-
Filesize
161KB
MD5d4d8d1d363822e1df54082abe29bdda1
SHA15eb8bd1baeeb72786591f79230042abc1b3812c6
SHA25663a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2
SHA512672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843
-
Filesize
216KB
MD56e88335e4768ad05581502124bce6f06
SHA1a028a16477b11b615f3cfa9fef833cfb300cc5fc
SHA2560bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72
SHA512cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e
-
Filesize
32KB
MD5add0f628c5fd4cabb0026aa3129d2730
SHA1f5b701083ecc8cf6171da6d1c881a2b676a5c5e8
SHA256f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2
SHA512ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5
-
Filesize
22KB
MD5630852ea3d1d215fd718032b5ca858db
SHA19245a44b3248bebca81dd5900adc02ea6fa58c5d
SHA256b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb
SHA5121cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e
-
Filesize
284KB
MD5705cf895a0bff9222a81695379901550
SHA11193389066e77a060a73a78758f22c4dd63dfc89
SHA25604931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95
SHA51260fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12
-
Filesize
297KB
MD54503cf81b6c45672fd2cb5d91a152fb0
SHA1aec2272bf6d871f3c57ead5d936313f434171c3a
SHA256718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943
SHA5127bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208
-
Filesize
290KB
MD578c34d2bd450bea859100a1c07349bc7
SHA1d64f38b2869a47511d2486418874b0c5d5ac5966
SHA256467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554
SHA51206aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4
-
Filesize
51B
MD5727785418f7d2ca3ca9935eff4c6339e
SHA12f9310a83802c4cb1081661ed5874d51b503a7d3
SHA256c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd
SHA51297dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b
-
Filesize
46KB
MD5feaef2882cbe76a204fd8d54228d3f0e
SHA1cc9f129cd9b30147a36dc717aa6cce89010c5a70
SHA25626740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9
SHA512f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193
-
Filesize
67KB
MD568b581399c9f6d1532023aeb3cddebcf
SHA1dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c
SHA2565cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a
SHA512cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da
-
Filesize
10KB
MD5ef184ffd17abae29eb2d8592242d0a0c
SHA10310d608c20df37e7e29a241b729cb87df6fd2ff
SHA256c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a
SHA512dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317