Overview

overview

10

Static

static

3

33682e861b...46.exe

windows7-x64

10

33682e861b...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe

  • Size

    4.3MB

  • MD5

    651962c322d049e7271543d8d2673311

  • SHA1

    e4a3c9a15006aae882697cff0ec90795f658ee94

  • SHA256

    33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546

  • SHA512

    121b96a1ce8e12924e41c2243cea25dbc13240c6cfadcfe01aecbea1c6676261cbcf89677fb1a8e429e22d47b1030b9e24e03b96a5f7e956316f02bd8d2c74b1

  • SSDEEP

    98304:fh0DJ8JeTBYX6L9jeMr31y0pv/u4EmRIO3HLWjds/ht/tpxeSZ:bJeTKX6L9fHBW4bW+zdeS

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe
        "C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Admin\AppData\Local\Temp\blue.exe
          "C:\Users\Admin\AppData\Local\Temp\blue.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:992
          • C:\Users\Admin\AppData\Local\Temp\blue.exe
            "C:\Users\Admin\AppData\Local\Temp\blue.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
        • C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe
          "C:\Users\Admin\AppData\Local\Temp\33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:760
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:8472
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {55E5DAE8-D5C0-4B4E-893A-EC551B6876CB} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:S4U:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:8736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:8768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVgBlAHIAcwBpAG8AbgAuAGUAeABlADsA
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:9020
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B7807092-ACCA-489D-8686-8B9B3D3FDEAD} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:8984
      • C:\Users\Admin\AppData\Local\AuditRuleType\bquymr\Version.exe
        C:\Users\Admin\AppData\Local\AuditRuleType\bquymr\Version.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:9016
        • C:\Users\Admin\AppData\Local\AuditRuleType\bquymr\Version.exe
          "C:\Users\Admin\AppData\Local\AuditRuleType\bquymr\Version.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5404
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3176
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2572

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      39bc8afe98ccd057430e513d8f6c6bbf

      SHA1

      26431c8a30578cd36eb00bfaa90ab6c06f8a5b6b

      SHA256

      bb79a48561246dc2ce1f46a59640d2e34395c57d6f77e9e862b7d297b809727f

      SHA512

      d3e78a152fe7c3ab5f7e8a4bdf148ee38132b13e07244981d9b2f0421db80aec4ff7866f8af84d2b8c7fa7f8bd5f02e217a5a5ad985fd7612dc2b95a2e077ee2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\blue.exe
      Filesize

      2.1MB

      MD5

      30cd8c00307286863dba2ec13fb2a611

      SHA1

      65815b908d5fd2905f70240d6dfe6e17f3c78aa1

      SHA256

      c68192f008c1b7638e18ec1a6e5787953ea6775bb33acf9a12f64440f3b788e7

      SHA512

      76a903bdb21ae382cd737432b2f5b3152589a3d3863c9120e9ad850d8cb46e07b90ed42f21d74840d4dc1383f2aee7bfc24f3f10eba94858e84af762bd404335

      Download Submit
    • memory/760-13647-0x00000000002F0000-0x00000000002F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/760-5277-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/992-9758-0x0000000005550000-0x0000000005638000-memory.dmp
      Filesize

      928KB

      Download
    • memory/992-9780-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/992-4878-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/992-4879-0x0000000004BF0000-0x0000000004E9A000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/992-4876-0x0000000000200000-0x0000000000426000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/992-4877-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1956-55-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-4866-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1956-19-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-21-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-23-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-51-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-0-0x000000007494E000-0x000000007494F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1956-25-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-53-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-67-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-65-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-63-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-61-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-59-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-57-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-49-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-47-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-45-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-43-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-41-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-39-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-37-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-35-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-33-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-31-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-29-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-27-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-17-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-4867-0x0000000007D00000-0x0000000008012000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1956-4868-0x0000000001220000-0x000000000126C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1956-13-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-15-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-11-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-9-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-4885-0x0000000005980000-0x00000000059D4000-memory.dmp
      Filesize

      336KB

      Download
    • memory/1956-5173-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1956-7-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-5-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-4-0x0000000004C80000-0x0000000005150000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-1-0x00000000012E0000-0x0000000001732000-memory.dmp
      Filesize

      4.3MB

      Download
    • memory/1956-2-0x0000000004C80000-0x0000000005156000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1956-3-0x0000000074940000-0x000000007502E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2572-31174-0x0000000000DB0000-0x0000000000E04000-memory.dmp
      Filesize

      336KB

      Download
    • memory/2640-9778-0x00000000000C0000-0x0000000000156000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2640-13660-0x00000000042E0000-0x0000000004336000-memory.dmp
      Filesize

      344KB

      Download
    • memory/2640-9779-0x00000000041A0000-0x0000000004274000-memory.dmp
      Filesize

      848KB

      Download
    • memory/3176-22426-0x0000000000400000-0x0000000000626000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/5404-18546-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/5404-22413-0x0000000001090000-0x00000000010E4000-memory.dmp
      Filesize

      336KB

      Download
    • memory/8768-13665-0x000000001A1E0000-0x000000001A4C2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/8768-13666-0x0000000000B50000-0x0000000000B58000-memory.dmp
      Filesize

      32KB

      Download
    • memory/9016-13670-0x00000000010E0000-0x0000000001306000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/9020-31172-0x000000001A100000-0x000000001A3E2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/9020-31173-0x0000000001250000-0x0000000001258000-memory.dmp
      Filesize

      32KB

      Download