rhadamanthys | 8624feb22b3a92ec567c5c192ff802e55f2cbd3388c78642bfffde6ac2a9ddc6

Analysis

max time kernel
27s
max time network
19s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-08-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

55.9MB
MD5

521646f158f26a3790605f3c3ff47a5e
SHA1

a0fc21bf69705c2d8934e71841d5e803048b23b9
SHA256

a0fe8a8ecab5d9d7df5a364a95352e1d861c8ca851c4339b65aa4841b3619617
SHA512

c47839fe320cec955ea5abd331a47ec5bb39ed02e61c72b295272f01be57fdb0a361f124e2fe1b0f4f7326ed71542e5a42ada87b635a70e89ac2523ab50cb856
SSDEEP

393216:hxIdZflFnaY4nRSn3pPPa7uksiL2YS2xg5gC33QSau/puRDHbUXyZ8s:gdZflFnaTEKuu25e4daEgpbUXyms

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BitLockerToGo.exe

description	pid	Process	procid_target
PID 2620 created 3012	2620	BitLockerToGo.exe	49

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
3024	powershell.exe
1916	powershell.exe
3024	powershell.exe
1916	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

driver1.exe

pid	Process
892	driver1.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WaveInstaller.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WaveInstaller.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	WaveInstaller.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
3544	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

driver1.exe

description	pid	Process	procid_target
PID 892 set thread context of 2620	892	driver1.exe	93

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5032	2620	WerFault.exe	93
3276	2620	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BitLockerToGo.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
4416	wmic.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	2	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeBitLockerToGo.exeopenwith.exe

pid	Process
3024	powershell.exe
3024	powershell.exe
1916	powershell.exe
1916	powershell.exe
2620	BitLockerToGo.exe
2620	BitLockerToGo.exe
1840	openwith.exe
1840	openwith.exe
1840	openwith.exe
1840	openwith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exewmic.exetasklist.exepowershell.exepowershell.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	1528	WaveInstaller.exe
Token: SeIncreaseQuotaPrivilege	4416	wmic.exe
Token: SeSecurityPrivilege	4416	wmic.exe
Token: SeTakeOwnershipPrivilege	4416	wmic.exe
Token: SeLoadDriverPrivilege	4416	wmic.exe
Token: SeSystemProfilePrivilege	4416	wmic.exe
Token: SeSystemtimePrivilege	4416	wmic.exe
Token: SeProfSingleProcessPrivilege	4416	wmic.exe
Token: SeIncBasePriorityPrivilege	4416	wmic.exe
Token: SeCreatePagefilePrivilege	4416	wmic.exe
Token: SeBackupPrivilege	4416	wmic.exe
Token: SeRestorePrivilege	4416	wmic.exe
Token: SeShutdownPrivilege	4416	wmic.exe
Token: SeDebugPrivilege	4416	wmic.exe
Token: SeSystemEnvironmentPrivilege	4416	wmic.exe
Token: SeRemoteShutdownPrivilege	4416	wmic.exe
Token: SeUndockPrivilege	4416	wmic.exe
Token: SeManageVolumePrivilege	4416	wmic.exe
Token: 33	4416	wmic.exe
Token: 34	4416	wmic.exe
Token: 35	4416	wmic.exe
Token: 36	4416	wmic.exe
Token: SeIncreaseQuotaPrivilege	4416	wmic.exe
Token: SeSecurityPrivilege	4416	wmic.exe
Token: SeTakeOwnershipPrivilege	4416	wmic.exe
Token: SeLoadDriverPrivilege	4416	wmic.exe
Token: SeSystemProfilePrivilege	4416	wmic.exe
Token: SeSystemtimePrivilege	4416	wmic.exe
Token: SeProfSingleProcessPrivilege	4416	wmic.exe
Token: SeIncBasePriorityPrivilege	4416	wmic.exe
Token: SeCreatePagefilePrivilege	4416	wmic.exe
Token: SeBackupPrivilege	4416	wmic.exe
Token: SeRestorePrivilege	4416	wmic.exe
Token: SeShutdownPrivilege	4416	wmic.exe
Token: SeDebugPrivilege	4416	wmic.exe
Token: SeSystemEnvironmentPrivilege	4416	wmic.exe
Token: SeRemoteShutdownPrivilege	4416	wmic.exe
Token: SeUndockPrivilege	4416	wmic.exe
Token: SeManageVolumePrivilege	4416	wmic.exe
Token: 33	4416	wmic.exe
Token: 34	4416	wmic.exe
Token: 35	4416	wmic.exe
Token: 36	4416	wmic.exe
Token: SeDebugPrivilege	3544	tasklist.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	wmic.exe
Token: SeSecurityPrivilege	3132	wmic.exe
Token: SeTakeOwnershipPrivilege	3132	wmic.exe
Token: SeLoadDriverPrivilege	3132	wmic.exe
Token: SeSystemProfilePrivilege	3132	wmic.exe
Token: SeSystemtimePrivilege	3132	wmic.exe
Token: SeProfSingleProcessPrivilege	3132	wmic.exe
Token: SeIncBasePriorityPrivilege	3132	wmic.exe
Token: SeCreatePagefilePrivilege	3132	wmic.exe
Token: SeBackupPrivilege	3132	wmic.exe
Token: SeRestorePrivilege	3132	wmic.exe
Token: SeShutdownPrivilege	3132	wmic.exe
Token: SeDebugPrivilege	3132	wmic.exe
Token: SeSystemEnvironmentPrivilege	3132	wmic.exe
Token: SeRemoteShutdownPrivilege	3132	wmic.exe
Token: SeUndockPrivilege	3132	wmic.exe
Token: SeManageVolumePrivilege	3132	wmic.exe
Token: 33	3132	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WaveInstaller.exepowershell.exedriver1.exeBitLockerToGo.exe

description	pid	Process	procid_target
PID 1528 wrote to memory of 4416	1528	WaveInstaller.exe	83
PID 1528 wrote to memory of 4416	1528	WaveInstaller.exe	83
PID 1528 wrote to memory of 3544	1528	WaveInstaller.exe	84
PID 1528 wrote to memory of 3544	1528	WaveInstaller.exe	84
PID 1528 wrote to memory of 3024	1528	WaveInstaller.exe	85
PID 1528 wrote to memory of 3024	1528	WaveInstaller.exe	85
PID 3024 wrote to memory of 1916	3024	powershell.exe	86
PID 3024 wrote to memory of 1916	3024	powershell.exe	86
PID 1528 wrote to memory of 3132	1528	WaveInstaller.exe	87
PID 1528 wrote to memory of 3132	1528	WaveInstaller.exe	87
PID 1528 wrote to memory of 892	1528	WaveInstaller.exe	88
PID 1528 wrote to memory of 892	1528	WaveInstaller.exe	88
PID 1528 wrote to memory of 4560	1528	WaveInstaller.exe	92
PID 1528 wrote to memory of 4560	1528	WaveInstaller.exe	92
PID 892 wrote to memory of 2620	892	driver1.exe	93
PID 892 wrote to memory of 2620	892	driver1.exe	93
PID 892 wrote to memory of 2620	892	driver1.exe	93
PID 892 wrote to memory of 2620	892	driver1.exe	93
PID 892 wrote to memory of 2620	892	driver1.exe	93
PID 2620 wrote to memory of 1840	2620	BitLockerToGo.exe	94
PID 2620 wrote to memory of 1840	2620	BitLockerToGo.exe	94
PID 2620 wrote to memory of 1840	2620	BitLockerToGo.exe	94
PID 2620 wrote to memory of 1840	2620	BitLockerToGo.exe	94
PID 2620 wrote to memory of 1840	2620	BitLockerToGo.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3012
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\ProgramData\driver1.exe
  C:\ProgramData\driver1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 472
      4⤵
      Program crash
      PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 468
      4⤵
      Program crash
      PID:3276
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.exe /sc onstart /ru SYSTEM
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2620 -ip 2620
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2620 -ip 2620
1⤵
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe

Filesize
7.3MB

MD5
69c08e5d078bd287b3cb43b7c35bc831

SHA1
307b8de9da4d24d474e44beaf4f32c15b258b0f6

SHA256
ce3b888419f9e46029d630e56e15e64eb28b9f92652a1acf477a87a5aebe3f48

SHA512
1bf71b7fc5e991dda21f6ed1c62895d5ba161b01677cba0901568df0a4bf3d6419cc3c04e83007566ee21de2cd66230af37de40b5ff61701ac4ad820a7b73152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
836B

MD5
e71db9eb70173249916b88c12d69faec

SHA1
85cb39c6e899703cd0a07f9046f524ed727a8589

SHA256
97038019c328f02d63ef5678f287ea237508ecd2da8f2bf79573473d8fd12af6

SHA512
ee59a5b0a2e99f86cf8e65f9cb03bddd237669476f5ed4644c373c3bd70697a99444aef56976f089a9543b6bfeca02de0fed12a47c701d06e3a1b3e0fb81d564

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ez35mucq.ieo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/892-38-0x00007FF6E5C30000-0x00007FF6E63E2000-memory.dmp

Filesize
7.7MB

Download
memory/1840-45-0x0000000000A30000-0x0000000000A39000-memory.dmp

Filesize
36KB

Download
memory/1840-50-0x00000000770E0000-0x0000000077332000-memory.dmp

Filesize
2.3MB

Download
memory/1840-48-0x00007FF99D120000-0x00007FF99D329000-memory.dmp

Filesize
2.0MB

Download
memory/1840-47-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/2620-40-0x0000000003810000-0x0000000003C10000-memory.dmp

Filesize
4.0MB

Download
memory/2620-42-0x00007FF99D120000-0x00007FF99D329000-memory.dmp

Filesize
2.0MB

Download
memory/2620-41-0x0000000003810000-0x0000000003C10000-memory.dmp

Filesize
4.0MB

Download
memory/2620-44-0x00000000770E0000-0x0000000077332000-memory.dmp

Filesize
2.3MB

Download
memory/2620-39-0x0000000000820000-0x000000000089E000-memory.dmp

Filesize
504KB

Download
memory/2620-37-0x0000000000820000-0x000000000089E000-memory.dmp

Filesize
504KB

Download
memory/3024-5-0x00000138290E0000-0x0000013829102000-memory.dmp

Filesize
136KB

Download