Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 13:58
Behavioral task
behavioral1
Sample
??? ?? - KOMCA/1099Misc.pdf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
??? ?? - KOMCA/1099Misc.pdf
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
??? ?? - KOMCA/??? ?? - KOMCA.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
??? ?? - KOMCA/??? ?? - KOMCA.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
??? ?? - KOMCA/msimg32.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
??? ?? - KOMCA/msimg32.dll
Resource
win10v2004-20240508-en
General
-
Target
??? ?? - KOMCA/msimg32.dll
-
Size
3.4MB
-
MD5
6e01e13c33d0ef84ec2e7c95cb7cf5dc
-
SHA1
36056aa4893eca4309f19786dca3527e28471b2d
-
SHA256
9abbafb168ff943f563bc2e39d6614796704993819ea89840daf0e3b1c5a98aa
-
SHA512
e8e33ce34d01ad30172a21451439104666ab8cb538149a44ae5d9e078ba552c3f5e5e7ae53e088bff74ad89412987bcbf04b4a3c45debfba1ef56f3bcd3f96db
-
SSDEEP
49152:G7q38GEJR8MUKCN4mdsTEgoTrpVRvLDS7m2Xob/BJCgLzDdwd9bk/RiF6xQf2V4d:7YA/BSY/RiAxpVo
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2868 created 1256 2868 regsvr32.exe Explorer.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 548 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exedialer.exepid process 2868 regsvr32.exe 2868 regsvr32.exe 2660 dialer.exe 2660 dialer.exe 2660 dialer.exe 2660 dialer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exeregsvr32.exedescription pid process target process PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 2188 wrote to memory of 548 2188 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2868 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 1916 548 regsvr32.exe cmd.exe PID 548 wrote to memory of 1916 548 regsvr32.exe cmd.exe PID 548 wrote to memory of 1916 548 regsvr32.exe cmd.exe PID 548 wrote to memory of 1916 548 regsvr32.exe cmd.exe PID 1916 wrote to memory of 2564 1916 cmd.exe reg.exe PID 1916 wrote to memory of 2564 1916 cmd.exe reg.exe PID 1916 wrote to memory of 2564 1916 cmd.exe reg.exe PID 1916 wrote to memory of 2564 1916 cmd.exe reg.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe PID 2868 wrote to memory of 2660 2868 regsvr32.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f5⤵
- Adds Run key to start application
PID:2564 -
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-0-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/548-10-0x0000000010007000-0x0000000010021000-memory.dmpFilesize
104KB
-
memory/548-7-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/2660-21-0x00000000760B0000-0x00000000760F7000-memory.dmpFilesize
284KB
-
memory/2660-18-0x0000000001FC0000-0x00000000023C0000-memory.dmpFilesize
4.0MB
-
memory/2660-19-0x0000000077490000-0x0000000077639000-memory.dmpFilesize
1.7MB
-
memory/2660-16-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2868-1-0x00000000001D0000-0x000000000023D000-memory.dmpFilesize
436KB
-
memory/2868-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2868-11-0x00000000001D0000-0x000000000023D000-memory.dmpFilesize
436KB
-
memory/2868-12-0x0000000003600000-0x0000000003A00000-memory.dmpFilesize
4.0MB
-
memory/2868-13-0x0000000003600000-0x0000000003A00000-memory.dmpFilesize
4.0MB
-
memory/2868-15-0x00000000760B0000-0x00000000760F7000-memory.dmpFilesize
284KB
-
memory/2868-4-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2868-5-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2868-9-0x00000000001D0000-0x000000000023D000-memory.dmpFilesize
436KB
-
memory/2868-8-0x00000000001D0000-0x000000000023D000-memory.dmpFilesize
436KB