Overview

overview

10

Static

static

3

2024-07-28...er.exe

windows7-x64

10

2024-07-28...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-28_8f355039fd3d9395f974e0982c13a458_avoslocker.exe

  • Size

    2.1MB

  • MD5

    8f355039fd3d9395f974e0982c13a458

  • SHA1

    725df56eba3b235f996132057e3ef94d4cc39843

  • SHA256

    ba4e57be7998467a7fb5471ea6e6d5ee9d6233de96bf2699efe9e8c45b21b039

  • SHA512

    7d6d3b445b7d39d054a37f0c33845fdb0f936e48252e46bfe405ab4d2bbb00554dcaea24283f56ce4c5b7b64a7daef0929994405b0706b7937b3b42f6b24dfe8

  • SSDEEP

    24576:p22vSU1RUol7JFZUEHAlPPT7CP02yVYk8YzlRGaDEW4/oUxvCUD61CCQbKxvDUQa:bJUol1Fy+SPTey6IGqH4x5DeEKtUw9

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2544
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2332
    • C:\Users\Admin\AppData\Local\Temp\2024-07-28_8f355039fd3d9395f974e0982c13a458_avoslocker.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-07-28_8f355039fd3d9395f974e0982c13a458_avoslocker.exe"
      1⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2332-17-0x0000000000110000-0x0000000000119000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2332-27-0x0000000001F90000-0x0000000002390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2332-21-0x0000000001F90000-0x0000000002390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2332-26-0x0000000001F90000-0x0000000002390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2332-23-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2332-25-0x00000000754C0000-0x00000000756D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2332-22-0x0000000001F90000-0x0000000002390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2564-6-0x00000000743BE000-0x00000000743BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-7-0x0000000005200000-0x0000000005292000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2564-9-0x00000000029F0000-0x00000000029F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2564-10-0x0000000005160000-0x0000000005170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2564-12-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2564-13-0x00000000055B0000-0x00000000059B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2564-11-0x00000000055B0000-0x00000000059B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2564-14-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2564-16-0x00000000754C0000-0x00000000756D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2564-8-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2564-20-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2564-4-0x0000000000800000-0x00000000008B0000-memory.dmp

      Filesize

      704KB

      Download

    • memory/4300-5-0x0000000000400000-0x0000000000624000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4300-3-0x0000000000400000-0x0000000000624000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4300-1-0x000000000040F000-0x0000000000429000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4300-2-0x0000000000400000-0x0000000000624000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4300-0-0x0000000000400000-0x0000000000624000-memory.dmp

      Filesize

      2.1MB

      Download