Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 13:58

General

  • Target

    ??? ?? - KOMCA/msimg32.dll

  • Size

    3.4MB

  • MD5

    6e01e13c33d0ef84ec2e7c95cb7cf5dc

  • SHA1

    36056aa4893eca4309f19786dca3527e28471b2d

  • SHA256

    9abbafb168ff943f563bc2e39d6614796704993819ea89840daf0e3b1c5a98aa

  • SHA512

    e8e33ce34d01ad30172a21451439104666ab8cb538149a44ae5d9e078ba552c3f5e5e7ae53e088bff74ad89412987bcbf04b4a3c45debfba1ef56f3bcd3f96db

  • SSDEEP

    49152:G7q38GEJR8MUKCN4mdsTEgoTrpVRvLDS7m2Xob/BJCgLzDdwd9bk/RiF6xQf2V4d:7YA/BSY/RiAxpVo

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\SysWOW64\regsvr32.exe
          /s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2868
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
              5⤵
              • Adds Run key to start application
              PID:2564
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/548-0-0x0000000010000000-0x000000001037A000-memory.dmp
      Filesize

      3.5MB

    • memory/548-10-0x0000000010007000-0x0000000010021000-memory.dmp
      Filesize

      104KB

    • memory/548-7-0x0000000010000000-0x000000001037A000-memory.dmp
      Filesize

      3.5MB

    • memory/2660-21-0x00000000760B0000-0x00000000760F7000-memory.dmp
      Filesize

      284KB

    • memory/2660-18-0x0000000001FC0000-0x00000000023C0000-memory.dmp
      Filesize

      4.0MB

    • memory/2660-19-0x0000000077490000-0x0000000077639000-memory.dmp
      Filesize

      1.7MB

    • memory/2660-16-0x0000000000080000-0x0000000000089000-memory.dmp
      Filesize

      36KB

    • memory/2868-1-0x00000000001D0000-0x000000000023D000-memory.dmp
      Filesize

      436KB

    • memory/2868-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

    • memory/2868-11-0x00000000001D0000-0x000000000023D000-memory.dmp
      Filesize

      436KB

    • memory/2868-12-0x0000000003600000-0x0000000003A00000-memory.dmp
      Filesize

      4.0MB

    • memory/2868-13-0x0000000003600000-0x0000000003A00000-memory.dmp
      Filesize

      4.0MB

    • memory/2868-15-0x00000000760B0000-0x00000000760F7000-memory.dmp
      Filesize

      284KB

    • memory/2868-4-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

    • memory/2868-5-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

    • memory/2868-9-0x00000000001D0000-0x000000000023D000-memory.dmp
      Filesize

      436KB

    • memory/2868-8-0x00000000001D0000-0x000000000023D000-memory.dmp
      Filesize

      436KB