rhadamanthys | 0bdc6c9bea314206994a9352f61895004ed414bcb767de035d9f9c5142916a11

Analysis

max time kernel
359s
max time network
365s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msimg32.dll
Size

30.0MB
MD5

a154217644d7083db5c2bca05fd663b0
SHA1

cc3d43e548f2aca58240eff9485298857f891f33
SHA256

a6e810e74c7e60ec30caa633ffe4c05d6f17aa3441883ce6b66ae5bb83a01c02
SHA512

ce5c3a6e9fcbea041b8ce2966a02ae2de3b07dc4f8eef8cb96a4408ee2fe39b2a02b4bd0f99f3ad04a279a839c374f649b7666209629ed86c07362e4c1302a0b
SSDEEP

49152:Tmp1wTHyQhBCMsvEqDZLOkALP7fivHBbsF:T21wTHF5svPDkkk2H

Score

10^/10

rhadamanthys defense_evasion discovery persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

저작권 침해 자료.exe

description	pid	Process	procid_target
PID 2956 created 1260	2956	저작권 침해 자료.exe	21

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

Processes:

verclsid.exe

pid	Process
2864	verclsid.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

저작권 침해 자료.exe

pid	Process
2592	저작권 침해 자료.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exe저작권 침해 자료.exe저작권 침해 자료.exedialer.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	저작권 침해 자료.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	저작권 침해 자료.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

저작권 침해 자료.exedialer.exe

pid	Process
2956	저작권 침해 자료.exe
2956	저작권 침해 자료.exe
2496	dialer.exe
2496	dialer.exe
2496	dialer.exe
2496	dialer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

rundll32.exe저작권 침해 자료.exe저작권 침해 자료.execmd.exe

description	pid	Process	procid_target
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2200 wrote to memory of 3036	2200	rundll32.exe	30
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2592 wrote to memory of 2956	2592	저작권 침해 자료.exe	34
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2956 wrote to memory of 2496	2956	저작권 침해 자료.exe	35
PID 2592 wrote to memory of 2344	2592	저작권 침해 자료.exe	36
PID 2592 wrote to memory of 2344	2592	저작권 침해 자료.exe	36
PID 2592 wrote to memory of 2344	2592	저작권 침해 자료.exe	36
PID 2592 wrote to memory of 2344	2592	저작권 침해 자료.exe	36
PID 2344 wrote to memory of 2376	2344	cmd.exe	38
PID 2344 wrote to memory of 2376	2344	cmd.exe	38
PID 2344 wrote to memory of 2376	2344	cmd.exe	38
PID 2344 wrote to memory of 2376	2344	cmd.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Windows\system32\verclsid.exe
  "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
  2⤵
  - System Binary Proxy Execution: Verclsid
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\저작권 침해 자료.exe
  "C:\Users\Admin\AppData\Local\Temp\저작권 침해 자료.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\저작권 침해 자료.exe
    "C:\Users\Admin\AppData\Local\Temp\저작권 침해 자료.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2376
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-27-0x0000000001FE0000-0x00000000023E0000-memory.dmp

Filesize
4.0MB

Download
memory/2496-30-0x0000000076220000-0x0000000076267000-memory.dmp

Filesize
284KB

Download
memory/2496-28-0x00000000775F0000-0x0000000077799000-memory.dmp

Filesize
1.7MB

Download
memory/2496-23-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2592-15-0x0000000010026000-0x0000000010040000-memory.dmp

Filesize
104KB

Download
memory/2592-3-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/2592-16-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/2956-13-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2956-20-0x00000000035C0000-0x00000000039C0000-memory.dmp

Filesize
4.0MB

Download
memory/2956-14-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2956-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2956-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-17-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2956-18-0x00000000035C0000-0x00000000039C0000-memory.dmp

Filesize
4.0MB

Download
memory/2956-4-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2956-19-0x00000000035C0000-0x00000000039C0000-memory.dmp

Filesize
4.0MB

Download
memory/2956-22-0x0000000076220000-0x0000000076267000-memory.dmp

Filesize
284KB

Download
memory/2956-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2956-26-0x00000000035C0000-0x00000000039C0000-memory.dmp

Filesize
4.0MB

Download
memory/3036-0-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/3036-1-0x0000000010026000-0x0000000010040000-memory.dmp

Filesize
104KB

Download
memory/3036-2-0x0000000010186000-0x0000000010191000-memory.dmp

Filesize
44KB

Download