Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11/06/2024, 06:27
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
4363d52fe7027df2212ad2b3333ebaf9
-
SHA1
beac1fc8c012a28cb9f38f6e4296278543048fcf
-
SHA256
ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc
-
SHA512
bb5bcb9f7b42d370b86ad7d4c16605d9bf755fd2291a70716facc2aa62baf45aabf068882c413334332af5819a97c9c4d7703edb9ec84edd8e87c57bab36acee
-
SSDEEP
24576:ZMm5SH6MIl3LkGDhsmD/U0wA77v+M0yYvh3J9oeVaEJyqH2ai519He:ZMm5Lnl7kSUEXvAyUh3J9oeVaEk5rHe
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 4523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 4483⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 432 -ip 4321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 432 -ip 4321⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
436KB
-
Filesize
4.0MB
-
Filesize
436KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
7.7MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
272KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.7MB