Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 01:51

General

  • Target

    ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe

  • Size

    952KB

  • MD5

    cce2ac8ae528606702c8d2766d9be0d7

  • SHA1

    6f1607201e267058f27d58a912b9cfe5530996af

  • SHA256

    ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d

  • SHA512

    6b051e6dfeee15d3d6983e684ceb21bb321c093a68b4a7bb15973e3d1285b35fcc26dff359e4a94781a45a8cb08270faebd1b4737288b06f7cd372dbd14134d3

  • SSDEEP

    12288:cfLoc2h3PJ5m641+zCSA2YhbPL5ApRMR0xTPVz2KbWXzvbhcrrRjyaQF1pAUlgZ+:cfLoc2FrClhhbsGiwbCfZwpAogF8Vxr3

Score
10/10

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2588
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4816
    • C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
      "C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:1360
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4712
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            3⤵
              PID:1984
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 2922
              3⤵
                PID:2440
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "FrancisIdeasRatsSas" Oven
                3⤵
                  PID:1680
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 2922\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2922\Colorado.pif
                  3⤵
                    PID:2716
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Headquarters + Mv + Kinda + Ref 2922\K
                    3⤵
                      PID:1276
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif
                      2922\Colorado.pif 2922\K
                      3⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:3948
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 932
                        4⤵
                        • Program crash
                        PID:1708
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      3⤵
                      • Runs ping.exe
                      PID:2948
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3948 -ip 3948
                  1⤵
                    PID:4000

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif

                    Filesize

                    30B

                    MD5

                    f62787118cfd7060849bfb732ca4e71c

                    SHA1

                    dda2061ff03f0e200d3790fb570243364d6f2788

                    SHA256

                    5ac498f3e88a82c903c4203dd44d8ea449528dc194f4d66d6b8e594c71c5591c

                    SHA512

                    45dcf25a6a7e0a39a69649e54b687ef633c87dca222f0473462d1a0e6e54be0e749662404dedad86feb6ae9fd6c98f719a6130b8bf616c205e5af3b856b0a27d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif

                    Filesize

                    921KB

                    MD5

                    78ba0653a340bac5ff152b21a83626cc

                    SHA1

                    b12da9cb5d024555405040e65ad89d16ae749502

                    SHA256

                    05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                    SHA512

                    efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\K

                    Filesize

                    864KB

                    MD5

                    992086438ec4ff45677110d54caf1f70

                    SHA1

                    e44b653431cb5094db4d4ac04325a7582cd5df90

                    SHA256

                    607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6

                    SHA512

                    9100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Boating

                    Filesize

                    256KB

                    MD5

                    2d292a074a6d19f926f3c70dd6ce64d1

                    SHA1

                    fb764cd612a439185c7b43205f269a23827f394d

                    SHA256

                    ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42

                    SHA512

                    4107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Envelope

                    Filesize

                    126KB

                    MD5

                    1b5abf179cee52cab937711b74cb2be0

                    SHA1

                    e845151b7a14077094cdc91a00946057d9143af0

                    SHA256

                    c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562

                    SHA512

                    fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Faqs

                    Filesize

                    161KB

                    MD5

                    d4d8d1d363822e1df54082abe29bdda1

                    SHA1

                    5eb8bd1baeeb72786591f79230042abc1b3812c6

                    SHA256

                    63a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2

                    SHA512

                    672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Headquarters

                    Filesize

                    216KB

                    MD5

                    6e88335e4768ad05581502124bce6f06

                    SHA1

                    a028a16477b11b615f3cfa9fef833cfb300cc5fc

                    SHA256

                    0bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72

                    SHA512

                    cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Job

                    Filesize

                    32KB

                    MD5

                    add0f628c5fd4cabb0026aa3129d2730

                    SHA1

                    f5b701083ecc8cf6171da6d1c881a2b676a5c5e8

                    SHA256

                    f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2

                    SHA512

                    ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kim

                    Filesize

                    22KB

                    MD5

                    630852ea3d1d215fd718032b5ca858db

                    SHA1

                    9245a44b3248bebca81dd5900adc02ea6fa58c5d

                    SHA256

                    b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb

                    SHA512

                    1cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kinda

                    Filesize

                    284KB

                    MD5

                    705cf895a0bff9222a81695379901550

                    SHA1

                    1193389066e77a060a73a78758f22c4dd63dfc89

                    SHA256

                    04931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95

                    SHA512

                    60fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mv

                    Filesize

                    297KB

                    MD5

                    4503cf81b6c45672fd2cb5d91a152fb0

                    SHA1

                    aec2272bf6d871f3c57ead5d936313f434171c3a

                    SHA256

                    718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943

                    SHA512

                    7bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ooo

                    Filesize

                    290KB

                    MD5

                    78c34d2bd450bea859100a1c07349bc7

                    SHA1

                    d64f38b2869a47511d2486418874b0c5d5ac5966

                    SHA256

                    467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554

                    SHA512

                    06aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Oven

                    Filesize

                    51B

                    MD5

                    727785418f7d2ca3ca9935eff4c6339e

                    SHA1

                    2f9310a83802c4cb1081661ed5874d51b503a7d3

                    SHA256

                    c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd

                    SHA512

                    97dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philippines

                    Filesize

                    46KB

                    MD5

                    feaef2882cbe76a204fd8d54228d3f0e

                    SHA1

                    cc9f129cd9b30147a36dc717aa6cce89010c5a70

                    SHA256

                    26740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9

                    SHA512

                    f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ref

                    Filesize

                    67KB

                    MD5

                    68b581399c9f6d1532023aeb3cddebcf

                    SHA1

                    dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c

                    SHA256

                    5cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a

                    SHA512

                    cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rugs

                    Filesize

                    10KB

                    MD5

                    ef184ffd17abae29eb2d8592242d0a0c

                    SHA1

                    0310d608c20df37e7e29a241b729cb87df6fd2ff

                    SHA256

                    c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a

                    SHA512

                    dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e

                  • memory/3948-35-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-45-0x0000000005890000-0x0000000005C90000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/3948-33-0x0000000077C61000-0x0000000077D81000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3948-36-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-37-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-39-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-40-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-41-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-42-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-43-0x0000000005890000-0x0000000005C90000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/3948-46-0x0000000005890000-0x0000000005C90000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/3948-34-0x0000000001E90000-0x0000000001E91000-memory.dmp

                    Filesize

                    4KB

                  • memory/3948-44-0x0000000004790000-0x00000000047FD000-memory.dmp

                    Filesize

                    436KB

                  • memory/3948-47-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/3948-49-0x0000000005890000-0x0000000005C90000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/3948-50-0x00000000770B0000-0x00000000772C5000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/3948-59-0x0000000005890000-0x0000000005C90000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/4816-53-0x0000000002B30000-0x0000000002F30000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/4816-55-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/4816-56-0x0000000002B30000-0x0000000002F30000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/4816-58-0x00000000770B0000-0x00000000772C5000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/4816-51-0x0000000001010000-0x0000000001019000-memory.dmp

                    Filesize

                    36KB

                  • memory/4816-60-0x0000000002B30000-0x0000000002F30000-memory.dmp

                    Filesize

                    4.0MB