Overview

overview

10

Static

static

10

snss2.exe

windows7-x64

10

snss2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    235s
  • max time network
    240s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    snss2.exe

  • Size

    7.7MB

  • MD5

    3a856193d7f5204896257205ffbe19bf

  • SHA1

    a9f0f06ca0828076b76edd913e5c8429d7bb2ca3

  • SHA256

    8ab04f749508030f388cbbe218bfaf32490673793c066d4e1002b6ad56f78c1e

  • SHA512

    0d3a2468f130e1431e7ef57f0021e14ecc91399addf6f6648cb689d45bd162f0f3a9931807aa4c69e341a3e49bbe63a9c04dbc841cfc7c4b36c023f7e114b63a

  • SSDEEP

    98304:3RjBDuX7yiW2cTYuVEWilcAiKS6m4goQ1v5zzG1GM2h8LH7Bil63eAo3YLhQL7IC:3R1D1iQT3fnIGMZ7Bil63r6YLEurIvZf

Score
10/10
hijackloaderrhadamanthysloaderspywarestealer

Malware Config

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3032
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3564
    • C:\Users\Admin\AppData\Local\Temp\snss2.exe
      "C:\Users\Admin\AppData\Local\Temp\snss2.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        2⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1200
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
      1⤵
        PID:940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\9be6534e
        Filesize

        1.0MB

        MD5

        5b7479749c294430b0a5096164ececcb

        SHA1

        5d7af2ecbc336d3ca0360683c75dd278a3c474ed

        SHA256

        08a72b5d08619666a9f3026ce52aa0da9eccec3e75c5c1bb2c48a1a5a352aab9

        SHA512

        7d5a6893346fba40e0e0ea87ea924e825604783aa38e1fa1a9c5c2c5a5819a94c84de57c654b7e50372be1ef8fb2e6d01d1a73a9858ea487bfb9af6237f7d856

        Download Submit

      • memory/1200-14-0x0000000000140000-0x00000000001AF000-memory.dmp

        Filesize

        444KB

        Download

      • memory/1200-21-0x0000000000140000-0x00000000001AF000-memory.dmp

        Filesize

        444KB

        Download

      • memory/1200-18-0x0000000000FE3000-0x0000000000FEB000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1200-16-0x0000000000140000-0x00000000001AF000-memory.dmp

        Filesize

        444KB

        Download

      • memory/1200-15-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1200-19-0x0000000004680000-0x0000000004A80000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1200-20-0x0000000004680000-0x0000000004A80000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1200-24-0x0000000076260000-0x0000000076475000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1200-25-0x0000000000F00000-0x0000000001333000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/1348-1-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1348-2-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1348-0-0x0000000000400000-0x0000000000BFE000-memory.dmp

        Filesize

        8.0MB

        Download

      • memory/1348-5-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1348-3-0x0000000074642000-0x0000000074644000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1348-4-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3412-7-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3412-13-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3412-11-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3412-10-0x0000000074630000-0x00000000747AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3412-9-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3564-26-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3564-29-0x0000000002B80000-0x0000000002F80000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3564-30-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3564-32-0x0000000076260000-0x0000000076475000-memory.dmp

        Filesize

        2.1MB

        Download