Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe
Resource
win10v2004-20240704-en
General
-
Target
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe
-
Size
4.3MB
-
MD5
651962c322d049e7271543d8d2673311
-
SHA1
e4a3c9a15006aae882697cff0ec90795f658ee94
-
SHA256
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
-
SHA512
121b96a1ce8e12924e41c2243cea25dbc13240c6cfadcfe01aecbea1c6676261cbcf89677fb1a8e429e22d47b1030b9e24e03b96a5f7e956316f02bd8d2c74b1
-
SSDEEP
98304:fh0DJ8JeTBYX6L9jeMr31y0pv/u4EmRIO3HLWjds/ht/tpxeSZ:bJeTKX6L9fHBW4bW+zdeS
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4992 created 2684 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 45 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 4740 powershell.exe 516 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe -
Executes dropped EXE 4 IoCs
pid Process 4632 blue.exe 4476 blue.exe 3304 Version.exe 3788 Version.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 912 set thread context of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 4632 set thread context of 4476 4632 blue.exe 90 PID 3304 set thread context of 3788 3304 Version.exe 95 PID 3788 set thread context of 1812 3788 Version.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 1996 openwith.exe 1996 openwith.exe 1996 openwith.exe 1996 openwith.exe 4740 powershell.exe 4740 powershell.exe 3788 Version.exe 3788 Version.exe 516 powershell.exe 516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe Token: SeDebugPrivilege 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe Token: SeDebugPrivilege 4632 blue.exe Token: SeDebugPrivilege 4632 blue.exe Token: SeDebugPrivilege 4476 blue.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 3304 Version.exe Token: SeDebugPrivilege 3304 Version.exe Token: SeDebugPrivilege 3788 Version.exe Token: SeDebugPrivilege 1812 MSBuild.exe Token: SeDebugPrivilege 516 powershell.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 912 wrote to memory of 4632 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 87 PID 912 wrote to memory of 4632 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 87 PID 912 wrote to memory of 4632 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 87 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 912 wrote to memory of 4992 912 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 88 PID 4992 wrote to memory of 1996 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 89 PID 4992 wrote to memory of 1996 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 89 PID 4992 wrote to memory of 1996 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 89 PID 4992 wrote to memory of 1996 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 89 PID 4992 wrote to memory of 1996 4992 33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe 89 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 4632 wrote to memory of 4476 4632 blue.exe 90 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3304 wrote to memory of 3788 3304 Version.exe 95 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97 PID 3788 wrote to memory of 1812 3788 Version.exe 97
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2684
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\blue.exe"C:\Users\Admin\AppData\Local\Temp\blue.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\blue.exe"C:\Users\Admin\AppData\Local\Temp\blue.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
C:\Users\Admin\AppData\Local\AuditRuleType\nodicel\Version.exeC:\Users\Admin\AppData\Local\AuditRuleType\nodicel\Version.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\AuditRuleType\nodicel\Version.exe"C:\Users\Admin\AppData\Local\AuditRuleType\nodicel\Version.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe.log
Filesize958B
MD52653ec7e43bfbe52024d5bf4ec27a515
SHA1a08848300075d1c0b385532d840a43e1fd7251fa
SHA2565d7f555a970cc34988aac2e5deaccfc12ef69b5d9ea55fd8d31a9b4b8377f4f2
SHA512b3caeb925a71e99121b34cd1644f199e33a9b73b435cafb47bba0ffb7156d71b3b3ac424076cf0a600eeb422cb358420915a29b97c974937ebf9186bea05938d
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.1MB
MD530cd8c00307286863dba2ec13fb2a611
SHA165815b908d5fd2905f70240d6dfe6e17f3c78aa1
SHA256c68192f008c1b7638e18ec1a6e5787953ea6775bb33acf9a12f64440f3b788e7
SHA51276a903bdb21ae382cd737432b2f5b3152589a3d3863c9120e9ad850d8cb46e07b90ed42f21d74840d4dc1383f2aee7bfc24f3f10eba94858e84af762bd404335