Overview

overview

10

Static

static

7

setup_2.exe

windows7-x64

10

setup_2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setup_2.exe.vir

  • Size

    149.8MB

  • Sample

    240807-tkh5qa1amn

  • MD5

    ac727ab7ec322f9864262b4d04449450

  • SHA1

    dca460d6eb9daecd26f0d784d2a1a21501f057c3

  • SHA256

    9cb372f91aacf03b1c8f6210d59cc76edb2b9df4d6151430720e798aa8db7bc4

  • SHA512

    02c14ab026adc505e668d8c4e2db976ad836a40180db56669b12130a68b36065b20a0437c7fea51f07f7cae408aba5c638e6c33dff8660d6817ac031981586c5

  • SSDEEP

    3145728:1/3Y6om/lbztZbI5hPMBrYuLU0ctbJdbLMoMDLn6Qp:dtomdbztPY90ct5sOQp

Score
10/10
rhadamanthysbootkitdiscoverypersistenceprivilege_escalationstealerupx

Malware Config

Targets

    • Target

      setup_2.exe.vir

    • Size

      149.8MB

    • MD5

      ac727ab7ec322f9864262b4d04449450

    • SHA1

      dca460d6eb9daecd26f0d784d2a1a21501f057c3

    • SHA256

      9cb372f91aacf03b1c8f6210d59cc76edb2b9df4d6151430720e798aa8db7bc4

    • SHA512

      02c14ab026adc505e668d8c4e2db976ad836a40180db56669b12130a68b36065b20a0437c7fea51f07f7cae408aba5c638e6c33dff8660d6817ac031981586c5

    • SSDEEP

      3145728:1/3Y6om/lbztZbI5hPMBrYuLU0ctbJdbLMoMDLn6Qp:dtomdbztPY90ct5sOQp

    Score
    10/10
    rhadamanthysbootkitdiscoverypersistenceprivilege_escalationstealerupx

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks