Overview

overview

10

Static

static

3

archive/setup.exe

windows7-x64

10

archive/setup.exe

windows10-2004-x64

10

archive/setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    487s
  • max time network
    491s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    archive/setup.exe

  • Size

    792.5MB

  • MD5

    0f4e82710cf21a3c36a72f3d5378c32a

  • SHA1

    6c64e4c47eaf6a74263babaf7add0c1b79e32526

  • SHA256

    b0212959666982690085eeaa577fbd02d9bbb2a6ae6851a8082deb03001af485

  • SHA512

    5a521e5a25d2d5861fff0682e81588e8e23348aa80374c3182618c9d85e570fcd8e262441be174a6584fd6504d191439a6174de3268905d658410497e50483aa

  • SSDEEP

    98304:2joPBEfPICvGozzDssWvOrwfSDM+Hh8gmeFitvuGzbtLxZ:OoqACjPQsWvO8fSDJmcitvuGVL

Score
10/10
rhadamanthysevasionspywarestealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
    evasion
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2668
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3644
    • C:\Users\Admin\AppData\Local\Temp\archive\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\archive\setup.exe"
      1⤵
      • Modifies firewall policy service
      • Checks computer location settings
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exe
        C:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exe
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 772
          3⤵
          • Program crash
          PID:2332
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:3044
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:4420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4888 -ip 4888
          1⤵
            PID:2044

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exe
            Filesize

            7.4MB

            MD5

            4eb8c5a72e468b4880e00aca1016aa6f

            SHA1

            217b66eed681f4fabed33ae699b6da8d80f6511a

            SHA256

            8bb6a5784f81422027453ada6ad6ed5209168cc7a29f2f2c4eda4a2dd95f04d8

            SHA512

            01a5a5308e203e2b631c25fdc0ad55ca4730bb649afdac727a0785eb2348e0876cde99315a27a3dc09c4ee58973be0c39110bec7e97cc3a437a675600f8a2490

            Download Submit

          • C:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exe
            Filesize

            7.4MB

            MD5

            4aefd5e816288c13908ee815cd3aa544

            SHA1

            12feb80cc87b0ac264641a1a981840e5d4fb2e7b

            SHA256

            e856a9f79d3b5e389d76a1e832a1c16972e949c512ce2e09e44cfc338d405f30

            SHA512

            a1b26b31788c41cfff38065e545658daf973dd386e90bcc6109236a2f7787e7fe02ccf491bd41c689dd51c72e0503c098ea05c81ef6cd4810c1fd67483acf072

            Download Submit

          • memory/3276-5-0x00007FF90B070000-0x00007FF90B072000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-3-0x00007FF90B6D0000-0x00007FF90B6D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-0-0x00007FF660276000-0x00007FF6604DB000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3276-2-0x00007FF90B6C0000-0x00007FF90B6C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-1-0x00007FF90B6B0000-0x00007FF90B6B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-7-0x00007FF908FD0000-0x00007FF908FD2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-8-0x00007FF908FE0000-0x00007FF908FE2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-29-0x00007FF660276000-0x00007FF6604DB000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3276-30-0x00007FF660110000-0x00007FF660966000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3276-6-0x00007FF660110000-0x00007FF660966000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3276-4-0x00007FF90B060000-0x00007FF90B062000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3276-43-0x00007FF660276000-0x00007FF6604DB000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3276-44-0x00007FF660110000-0x00007FF660966000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3644-63-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3644-60-0x0000000000A90000-0x0000000000A99000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3644-65-0x00000000760B0000-0x00000000762C5000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3644-62-0x00000000026D0000-0x0000000002AD0000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4888-48-0x0000000001110000-0x000000000111A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4888-53-0x00000000016D0000-0x00000000016E9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/4888-52-0x00000000016C0000-0x00000000016C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/4888-51-0x00000000016C0000-0x00000000016C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/4888-50-0x00000000012B0000-0x00000000012B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4888-49-0x00000000012B0000-0x00000000012B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4888-55-0x0000000004A00000-0x0000000004E00000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4888-56-0x0000000004A00000-0x0000000004E00000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4888-57-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/4888-54-0x00000000016D0000-0x00000000016E9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/4888-59-0x00000000760B0000-0x00000000762C5000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4888-46-0x0000000000400000-0x0000000000F5D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/4888-47-0x0000000001110000-0x000000000111A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4888-45-0x0000000000400000-0x0000000000F5D000-memory.dmp

            Filesize

            11.4MB

            Download