Analysis
-
max time kernel
487s -
max time network
491s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
archive/setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
archive/setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
archive/setup.exe
Resource
win11-20240709-en
General
-
Target
archive/setup.exe
-
Size
792.5MB
-
MD5
0f4e82710cf21a3c36a72f3d5378c32a
-
SHA1
6c64e4c47eaf6a74263babaf7add0c1b79e32526
-
SHA256
b0212959666982690085eeaa577fbd02d9bbb2a6ae6851a8082deb03001af485
-
SHA512
5a521e5a25d2d5861fff0682e81588e8e23348aa80374c3182618c9d85e570fcd8e262441be174a6584fd6504d191439a6174de3268905d658410497e50483aa
-
SSDEEP
98304:2joPBEfPICvGozzDssWvOrwfSDM+Hh8gmeFitvuGzbtLxZ:OoqACjPQsWvO8fSDJmcitvuGVL
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
6F73Zb24JfVKPxFqEW8rNPL_.exedescription pid process target process PID 4888 created 2668 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe sihost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 1 IoCs
Processes:
6F73Zb24JfVKPxFqEW8rNPL_.exepid process 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 ipinfo.io 27 api.myip.com 28 api.myip.com 29 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy setup.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini setup.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2332 4888 WerFault.exe 6F73Zb24JfVKPxFqEW8rNPL_.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
setup.exe6F73Zb24JfVKPxFqEW8rNPL_.exeopenwith.exepid process 3276 setup.exe 3276 setup.exe 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe 3644 openwith.exe 3644 openwith.exe 3644 openwith.exe 3644 openwith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6F73Zb24JfVKPxFqEW8rNPL_.exepid process 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
setup.exe6F73Zb24JfVKPxFqEW8rNPL_.exedescription pid process target process PID 3276 wrote to memory of 4888 3276 setup.exe 6F73Zb24JfVKPxFqEW8rNPL_.exe PID 3276 wrote to memory of 4888 3276 setup.exe 6F73Zb24JfVKPxFqEW8rNPL_.exe PID 3276 wrote to memory of 4888 3276 setup.exe 6F73Zb24JfVKPxFqEW8rNPL_.exe PID 4888 wrote to memory of 3644 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe openwith.exe PID 4888 wrote to memory of 3644 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe openwith.exe PID 4888 wrote to memory of 3644 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe openwith.exe PID 4888 wrote to memory of 3644 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe openwith.exe PID 4888 wrote to memory of 3644 4888 6F73Zb24JfVKPxFqEW8rNPL_.exe openwith.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2668
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644
-
C:\Users\Admin\AppData\Local\Temp\archive\setup.exe"C:\Users\Admin\AppData\Local\Temp\archive\setup.exe"1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exeC:\Users\Admin\Documents\SimpleAdobe\6F73Zb24JfVKPxFqEW8rNPL_.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 7723⤵
- Program crash
PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4888 -ip 48881⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD54eb8c5a72e468b4880e00aca1016aa6f
SHA1217b66eed681f4fabed33ae699b6da8d80f6511a
SHA2568bb6a5784f81422027453ada6ad6ed5209168cc7a29f2f2c4eda4a2dd95f04d8
SHA51201a5a5308e203e2b631c25fdc0ad55ca4730bb649afdac727a0785eb2348e0876cde99315a27a3dc09c4ee58973be0c39110bec7e97cc3a437a675600f8a2490
-
Filesize
7.4MB
MD54aefd5e816288c13908ee815cd3aa544
SHA112feb80cc87b0ac264641a1a981840e5d4fb2e7b
SHA256e856a9f79d3b5e389d76a1e832a1c16972e949c512ce2e09e44cfc338d405f30
SHA512a1b26b31788c41cfff38065e545658daf973dd386e90bcc6109236a2f7787e7fe02ccf491bd41c689dd51c72e0503c098ea05c81ef6cd4810c1fd67483acf072