Analysis
-
max time kernel
50s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 13:58
Behavioral task
behavioral1
Sample
??? ?? - KOMCA/1099Misc.pdf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
??? ?? - KOMCA/1099Misc.pdf
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
??? ?? - KOMCA/??? ?? - KOMCA.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
??? ?? - KOMCA/??? ?? - KOMCA.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
??? ?? - KOMCA/msimg32.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
??? ?? - KOMCA/msimg32.dll
Resource
win10v2004-20240508-en
General
-
Target
??? ?? - KOMCA/msimg32.dll
-
Size
3.4MB
-
MD5
6e01e13c33d0ef84ec2e7c95cb7cf5dc
-
SHA1
36056aa4893eca4309f19786dca3527e28471b2d
-
SHA256
9abbafb168ff943f563bc2e39d6614796704993819ea89840daf0e3b1c5a98aa
-
SHA512
e8e33ce34d01ad30172a21451439104666ab8cb538149a44ae5d9e078ba552c3f5e5e7ae53e088bff74ad89412987bcbf04b4a3c45debfba1ef56f3bcd3f96db
-
SSDEEP
49152:G7q38GEJR8MUKCN4mdsTEgoTrpVRvLDS7m2Xob/BJCgLzDdwd9bk/RiF6xQf2V4d:7YA/BSY/RiAxpVo
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1812 created 2576 1812 regsvr32.exe sihost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 2264 regsvr32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2968 1812 WerFault.exe regsvr32.exe 5004 1812 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exedialer.exepid process 1812 regsvr32.exe 1812 regsvr32.exe 4668 dialer.exe 4668 dialer.exe 4668 dialer.exe 4668 dialer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exeregsvr32.exedescription pid process target process PID 548 wrote to memory of 2264 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2264 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2264 548 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1812 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 3556 2264 regsvr32.exe cmd.exe PID 2264 wrote to memory of 3556 2264 regsvr32.exe cmd.exe PID 2264 wrote to memory of 3556 2264 regsvr32.exe cmd.exe PID 3556 wrote to memory of 2528 3556 cmd.exe reg.exe PID 3556 wrote to memory of 2528 3556 cmd.exe reg.exe PID 3556 wrote to memory of 2528 3556 cmd.exe reg.exe PID 1812 wrote to memory of 4668 1812 regsvr32.exe dialer.exe PID 1812 wrote to memory of 4668 1812 regsvr32.exe dialer.exe PID 1812 wrote to memory of 4668 1812 regsvr32.exe dialer.exe PID 1812 wrote to memory of 4668 1812 regsvr32.exe dialer.exe PID 1812 wrote to memory of 4668 1812 regsvr32.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2576
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\___ __ - KOMCA\msimg32.dll"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 5964⤵
- Program crash
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 5924⤵
- Program crash
PID:5004 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f4⤵
- Adds Run key to start application
PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1812 -ip 18121⤵PID:4920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1812 -ip 18121⤵PID:1196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1812-12-0x0000000003510000-0x0000000003910000-memory.dmpFilesize
4.0MB
-
memory/1812-13-0x0000000003510000-0x0000000003910000-memory.dmpFilesize
4.0MB
-
memory/1812-14-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmpFilesize
2.0MB
-
memory/1812-17-0x0000000003510000-0x0000000003910000-memory.dmpFilesize
4.0MB
-
memory/1812-11-0x0000000003510000-0x0000000003910000-memory.dmpFilesize
4.0MB
-
memory/1812-4-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/1812-9-0x0000000000560000-0x00000000005CD000-memory.dmpFilesize
436KB
-
memory/1812-10-0x0000000000560000-0x00000000005CD000-memory.dmpFilesize
436KB
-
memory/1812-25-0x0000000003510000-0x0000000003910000-memory.dmpFilesize
4.0MB
-
memory/1812-16-0x00000000756C0000-0x00000000758D5000-memory.dmpFilesize
2.1MB
-
memory/1812-8-0x0000000000560000-0x00000000005CD000-memory.dmpFilesize
436KB
-
memory/2264-2-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/2264-1-0x0000000010007000-0x0000000010021000-memory.dmpFilesize
104KB
-
memory/2264-0-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/2264-7-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/2264-3-0x0000000010000000-0x000000001037A000-memory.dmpFilesize
3.5MB
-
memory/4668-23-0x00000000756C0000-0x00000000758D5000-memory.dmpFilesize
2.1MB
-
memory/4668-20-0x0000000002D40000-0x0000000003140000-memory.dmpFilesize
4.0MB
-
memory/4668-21-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmpFilesize
2.0MB
-
memory/4668-18-0x0000000000F10000-0x0000000000F19000-memory.dmpFilesize
36KB