Malware Analysis Report

2024-11-13 13:50

Sample ID 240405-y5tt6scf9t
Target rha.zip
SHA256 c529cd95c0c85ca18df3e690f840e51d0be33b5b92f8bf1e9f91821eaedac68c
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c529cd95c0c85ca18df3e690f840e51d0be33b5b92f8bf1e9f91821eaedac68c

Threat Level: Known bad

The file rha.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:25

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 4360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4064 wrote to memory of 4360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4064 wrote to memory of 4360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 235.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 248.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:25

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

127s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4432 created 2500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\sihost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

C:\Users\Admin\AppData\Local\Temp\file.exe

"file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 211.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 235.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4432-0-0x0000000000530000-0x0000000000591000-memory.dmp

memory/4432-1-0x0000000003920000-0x0000000003D20000-memory.dmp

memory/4432-3-0x0000000003920000-0x0000000003D20000-memory.dmp

memory/4432-2-0x0000000003920000-0x0000000003D20000-memory.dmp

memory/4432-4-0x00007FFADD230000-0x00007FFADD425000-memory.dmp

memory/4432-6-0x0000000003920000-0x0000000003D20000-memory.dmp

memory/4432-7-0x0000000075F40000-0x0000000076155000-memory.dmp

memory/4600-8-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

memory/4600-11-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

memory/4600-10-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

memory/4600-14-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

memory/4600-15-0x0000000075F40000-0x0000000076155000-memory.dmp

memory/4600-12-0x00007FFADD230000-0x00007FFADD425000-memory.dmp

memory/4600-16-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

129s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 211.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 235.138.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 880 created 2572 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\sihost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 211.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 248.137.73.23.in-addr.arpa udp

Files

memory/880-0-0x0000000000060000-0x00000000000C1000-memory.dmp

memory/880-1-0x00000000037A0000-0x0000000003BA0000-memory.dmp

memory/880-3-0x00000000037A0000-0x0000000003BA0000-memory.dmp

memory/880-2-0x00000000037A0000-0x0000000003BA0000-memory.dmp

memory/880-4-0x00007FFDAC4D0000-0x00007FFDAC6C5000-memory.dmp

memory/4484-8-0x0000000001260000-0x0000000001269000-memory.dmp

memory/880-7-0x0000000076660000-0x0000000076875000-memory.dmp

memory/880-5-0x00000000037A0000-0x0000000003BA0000-memory.dmp

memory/4484-10-0x0000000002E00000-0x0000000003200000-memory.dmp

memory/4484-11-0x00007FFDAC4D0000-0x00007FFDAC6C5000-memory.dmp

memory/4484-14-0x0000000002E00000-0x0000000003200000-memory.dmp

memory/4484-13-0x0000000076660000-0x0000000076875000-memory.dmp

memory/4484-15-0x0000000002E00000-0x0000000003200000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:25

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1304 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1304 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1304 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\file.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

C:\Users\Admin\AppData\Local\Temp\file.exe

"file.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:25

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 036b4892ae6ecb7d97e1c9b8400291ac
SHA1 a307aff9142aa2208252c0569e42e15c2ed14ba8
SHA256 983a7bd10fcfc36b66ea1bbc4eeffe54976f7e10f2c843b48c4643483fd9c384
SHA512 99b3cff0a271538008152167400c668535231e3a97e9a968f51db482e3f1167de16ed2acfe0a62135f3fa207d6e13800060af9692c8f93b12b01c66a4e04db23

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
NL 142.251.39.110:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 142.250.179.138:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 172.217.18.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestartSet.cmd

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\AddSplit.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-05 20:22

Reported

2024-04-05 20:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1

Network

N/A

Files

N/A