Overview

overview

10

Static

static

1

Authentica....1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • submitted
    31/07/2024, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Authenticator_v5.1.exe

  • Size

    1.9MB

  • MD5

    c607e5a15a55a85f0fd6339c75dbe769

  • SHA1

    36e24f54dd93166a2d42ebb222d4c15eefe7239b

  • SHA256

    bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461

  • SHA512

    db157472ad89553b0a9578da6b5a5b07abe30741509f097f359fb1c40db3818e94f8134513d52627f0e889731dbdf4fc0bf4375ff3a0bdbb0892ca6e108391a6

  • SSDEEP

    49152:IebOsgxw8eSymL1zO69MOpJjyTVKueFU4NXJ:P+N1K+luelXJ

Score
10/10
rhadamanthyswarmcookiebackdoordiscoverystealer

Malware Config

Extracted

Family

warmcookie

C2

91.222.173.181

Attributes
  • mutex

    8952466e-ec09-4cf4-b3f8-01bed1b211dd

  • user_agent

    Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

Extracted

Family

rhadamanthys

C2

https://92.246.139.64:7400/b7a8e4d36d60139c9974d297/e751wk8p.0713j

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Warmcookie family
    warmcookie
  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2584
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4568
    • C:\Users\Admin\AppData\Local\Temp\Authenticator_v5.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Authenticator_v5.1.exe"
      1⤵
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Users\Admin\AppData\Local\Temp\datF53D.tmp\F53E.exe
        "C:\Users\Admin\AppData\Local\Temp\datF53D.tmp\F53E.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 496
          3⤵
          • Program crash
          PID:4008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5080 -ip 5080
      1⤵
        PID:4604

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\datF53D.tmp\F53E.exe
        Filesize

        3.5MB

        MD5

        9a9e54e2c0b5076ebbddd676c45a7c6e

        SHA1

        29969d8d71dd863088190dfcabb7713ffc8484ae

        SHA256

        4a802496f5171c7f9d8862a579795c346489d7ab0b0b1b0df7da6621911e6b91

        SHA512

        fc0d7f50c36b969bdb2af43834f947129ea1710599054100a01964b63a3541d06df6e3eeb8c782041ede182be3c9a7c16dbe498f4acac14c8a2646dc26510401

        Download Submit

      • memory/4432-6-0x0000000001FF0000-0x0000000002016000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4432-0-0x0000000001FF0000-0x0000000002016000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4568-15-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4568-24-0x0000000002A30000-0x0000000002E30000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4568-22-0x0000000076F70000-0x0000000077185000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4568-21-0x0000000002A30000-0x0000000002E30000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4568-19-0x00007FFE3E870000-0x00007FFE3EA65000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4568-18-0x0000000002A30000-0x0000000002E30000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-8-0x0000000003700000-0x0000000003B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-14-0x0000000076F70000-0x0000000077185000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/5080-12-0x0000000003700000-0x0000000003B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-11-0x00007FFE3E870000-0x00007FFE3EA65000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/5080-9-0x0000000003700000-0x0000000003B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-10-0x0000000003700000-0x0000000003B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-23-0x0000000003700000-0x0000000003B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5080-7-0x0000000000DF0000-0x0000000000E6E000-memory.dmp

        Filesize

        504KB

        Download