Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 09:35
Static task
static1
Behavioral task
behavioral1
Sample
651962c322d049e7271543d8d2673311.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
651962c322d049e7271543d8d2673311.exe
Resource
win10v2004-20240704-en
General
-
Target
651962c322d049e7271543d8d2673311.exe
-
Size
4.3MB
-
MD5
651962c322d049e7271543d8d2673311
-
SHA1
e4a3c9a15006aae882697cff0ec90795f658ee94
-
SHA256
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
-
SHA512
121b96a1ce8e12924e41c2243cea25dbc13240c6cfadcfe01aecbea1c6676261cbcf89677fb1a8e429e22d47b1030b9e24e03b96a5f7e956316f02bd8d2c74b1
-
SSDEEP
98304:fh0DJ8JeTBYX6L9jeMr31y0pv/u4EmRIO3HLWjds/ht/tpxeSZ:bJeTKX6L9fHBW4bW+zdeS
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 588 created 1392 588 651962c322d049e7271543d8d2673311.exe 20 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2752 powershell.exe 4760 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 1908 blue.exe 1716 blue.exe 4004 Version.exe 1704 Version.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 651962c322d049e7271543d8d2673311.exe 1908 blue.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2256 set thread context of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 1908 set thread context of 1716 1908 blue.exe 32 PID 4004 set thread context of 1704 4004 Version.exe 40 PID 1704 set thread context of 4564 1704 Version.exe 42 PID 4564 set thread context of 4988 4564 InstallUtil.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 588 651962c322d049e7271543d8d2673311.exe 588 651962c322d049e7271543d8d2673311.exe 668 dialer.exe 668 dialer.exe 668 dialer.exe 668 dialer.exe 2752 powershell.exe 1704 Version.exe 1704 Version.exe 4760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2256 651962c322d049e7271543d8d2673311.exe Token: SeDebugPrivilege 1908 blue.exe Token: SeDebugPrivilege 2256 651962c322d049e7271543d8d2673311.exe Token: SeDebugPrivilege 1908 blue.exe Token: SeDebugPrivilege 1716 blue.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 4004 Version.exe Token: SeDebugPrivilege 4004 Version.exe Token: SeDebugPrivilege 1704 Version.exe Token: SeDebugPrivilege 4564 InstallUtil.exe Token: SeDebugPrivilege 4564 InstallUtil.exe Token: SeDebugPrivilege 4988 InstallUtil.exe Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 1908 2256 651962c322d049e7271543d8d2673311.exe 29 PID 2256 wrote to memory of 1908 2256 651962c322d049e7271543d8d2673311.exe 29 PID 2256 wrote to memory of 1908 2256 651962c322d049e7271543d8d2673311.exe 29 PID 2256 wrote to memory of 1908 2256 651962c322d049e7271543d8d2673311.exe 29 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 2256 wrote to memory of 588 2256 651962c322d049e7271543d8d2673311.exe 30 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 588 wrote to memory of 668 588 651962c322d049e7271543d8d2673311.exe 31 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1908 wrote to memory of 1716 1908 blue.exe 32 PID 1088 wrote to memory of 2752 1088 taskeng.exe 36 PID 1088 wrote to memory of 2752 1088 taskeng.exe 36 PID 1088 wrote to memory of 2752 1088 taskeng.exe 36 PID 3884 wrote to memory of 4004 3884 taskeng.exe 39 PID 3884 wrote to memory of 4004 3884 taskeng.exe 39 PID 3884 wrote to memory of 4004 3884 taskeng.exe 39 PID 3884 wrote to memory of 4004 3884 taskeng.exe 39 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 4004 wrote to memory of 1704 4004 Version.exe 40 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1704 wrote to memory of 4564 1704 Version.exe 42 PID 1088 wrote to memory of 4760 1088 taskeng.exe 43 PID 1088 wrote to memory of 4760 1088 taskeng.exe 43 PID 1088 wrote to memory of 4760 1088 taskeng.exe 43 PID 4564 wrote to memory of 4988 4564 InstallUtil.exe 45 PID 4564 wrote to memory of 4988 4564 InstallUtil.exe 45 PID 4564 wrote to memory of 4988 4564 InstallUtil.exe 45 PID 4564 wrote to memory of 4988 4564 InstallUtil.exe 45 PID 4564 wrote to memory of 4988 4564 InstallUtil.exe 45
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\651962c322d049e7271543d8d2673311.exe"C:\Users\Admin\AppData\Local\Temp\651962c322d049e7271543d8d2673311.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\blue.exe"C:\Users\Admin\AppData\Local\Temp\blue.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\blue.exe"C:\Users\Admin\AppData\Local\Temp\blue.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
C:\Users\Admin\AppData\Local\Temp\651962c322d049e7271543d8d2673311.exe"C:\Users\Admin\AppData\Local\Temp\651962c322d049e7271543d8d2673311.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:668
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {02864D4D-622A-42EF-8926-F307AD44AF91} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C431DD03-7041-46CC-9195-C885BB422856} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\AuditRuleType\nmqgcn\Version.exeC:\Users\Admin\AppData\Local\AuditRuleType\nmqgcn\Version.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\AuditRuleType\nmqgcn\Version.exe"C:\Users\Admin\AppData\Local\AuditRuleType\nmqgcn\Version.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD530cd8c00307286863dba2ec13fb2a611
SHA165815b908d5fd2905f70240d6dfe6e17f3c78aa1
SHA256c68192f008c1b7638e18ec1a6e5787953ea6775bb33acf9a12f64440f3b788e7
SHA51276a903bdb21ae382cd737432b2f5b3152589a3d3863c9120e9ad850d8cb46e07b90ed42f21d74840d4dc1383f2aee7bfc24f3f10eba94858e84af762bd404335
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50a82923f5d72f49898567b0aee0d4a2a
SHA1f32932925789f43572b8d309e5b99a7012f19eb2
SHA2560cc869dafa6e7099820734e03533bae4c3c91f01365258f5ed4d26988295802a
SHA512153a03a6072327878c635ddec057cbcb901b47341b9ff73c5f0d080714402d805e140972141446397e599129c69856826503287085de07e770f02e27758a0c56