Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe
Resource
win10v2004-20240802-en
General
-
Target
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe
-
Size
1.7MB
-
MD5
702ab38086350094b28c8df1b670f84f
-
SHA1
3a6ff038d4e70d9f5e4a48f617612f9fc330bc03
-
SHA256
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e
-
SHA512
bf849222a88b78b70918b1925afc507eb407abbdb7ce96e7c9ad94eb98093eccc36d3bc172e794eed24cb4138f114f037fc06b1aa18b2263316e1e195d1d74f3
-
SSDEEP
24576:GzZh1gHxneFb0gvX0zJc2ewTYuXm9jJp7Bv97S2Rck/J2q0NpBCMX/B:GF6ezktFbYuQFv9fBsiMX/B
Malware Config
Extracted
rhadamanthys
https://144.76.133.166:8034/5502b8a765a7d7349/r4139osc.1hlvc
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Internet.pifdescription pid Process procid_target PID 3668 created 3440 3668 Internet.pif 56 PID 3668 created 2608 3668 Internet.pif 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Internet.pifpid Process 3668 Internet.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 884 tasklist.exe 3736 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1216 3668 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
findstr.execmd.exeInternet.piffindstr.exechoice.exeopenwith.exe8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exefindstr.exetasklist.execmd.exetasklist.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Internet.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Internet.pifopenwith.exepid Process 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif 2300 openwith.exe 2300 openwith.exe 2300 openwith.exe 2300 openwith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 884 tasklist.exe Token: SeDebugPrivilege 3736 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Internet.pifpid Process 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Internet.pifpid Process 3668 Internet.pif 3668 Internet.pif 3668 Internet.pif -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.execmd.exeInternet.pifdescription pid Process procid_target PID 3396 wrote to memory of 3520 3396 8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe 84 PID 3396 wrote to memory of 3520 3396 8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe 84 PID 3396 wrote to memory of 3520 3396 8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe 84 PID 3520 wrote to memory of 884 3520 cmd.exe 89 PID 3520 wrote to memory of 884 3520 cmd.exe 89 PID 3520 wrote to memory of 884 3520 cmd.exe 89 PID 3520 wrote to memory of 3528 3520 cmd.exe 90 PID 3520 wrote to memory of 3528 3520 cmd.exe 90 PID 3520 wrote to memory of 3528 3520 cmd.exe 90 PID 3520 wrote to memory of 3736 3520 cmd.exe 92 PID 3520 wrote to memory of 3736 3520 cmd.exe 92 PID 3520 wrote to memory of 3736 3520 cmd.exe 92 PID 3520 wrote to memory of 2032 3520 cmd.exe 93 PID 3520 wrote to memory of 2032 3520 cmd.exe 93 PID 3520 wrote to memory of 2032 3520 cmd.exe 93 PID 3520 wrote to memory of 60 3520 cmd.exe 94 PID 3520 wrote to memory of 60 3520 cmd.exe 94 PID 3520 wrote to memory of 60 3520 cmd.exe 94 PID 3520 wrote to memory of 1680 3520 cmd.exe 95 PID 3520 wrote to memory of 1680 3520 cmd.exe 95 PID 3520 wrote to memory of 1680 3520 cmd.exe 95 PID 3520 wrote to memory of 932 3520 cmd.exe 96 PID 3520 wrote to memory of 932 3520 cmd.exe 96 PID 3520 wrote to memory of 932 3520 cmd.exe 96 PID 3520 wrote to memory of 3668 3520 cmd.exe 97 PID 3520 wrote to memory of 3668 3520 cmd.exe 97 PID 3520 wrote to memory of 3668 3520 cmd.exe 97 PID 3520 wrote to memory of 2348 3520 cmd.exe 98 PID 3520 wrote to memory of 2348 3520 cmd.exe 98 PID 3520 wrote to memory of 2348 3520 cmd.exe 98 PID 3668 wrote to memory of 4392 3668 Internet.pif 99 PID 3668 wrote to memory of 4392 3668 Internet.pif 99 PID 3668 wrote to memory of 4392 3668 Internet.pif 99 PID 3668 wrote to memory of 2300 3668 Internet.pif 107 PID 3668 wrote to memory of 2300 3668 Internet.pif 107 PID 3668 wrote to memory of 2300 3668 Internet.pif 107 PID 3668 wrote to memory of 2300 3668 Internet.pif 107 PID 3668 wrote to memory of 2300 3668 Internet.pif 107
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2608
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe"C:\Users\Admin\AppData\Local\Temp\8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Almost Almost.cmd & Almost.cmd & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5619444⤵
- System Location Discovery: System Language Discovery
PID:60
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ZealandInvitationMonoMessage" Import4⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Reports + ..\Ontario + ..\Contacting + ..\Midlands + ..\Guestbook + ..\Placement + ..\Patricia + ..\Saving + ..\Addition + ..\Publisher + ..\Machine + ..\Blowjobs + ..\Ni E4⤵
- System Location Discovery: System Language Discovery
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\561944\Internet.pifInternet.pif E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 9605⤵
- Program crash
PID:1216
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & echo URL="C:\Users\Admin\AppData\Local\DesignWave Technologies\InnoWave.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoWave.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3668 -ip 36681⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
933KB
MD5e0ccb032f8a542fac39f8dfb475fd99d
SHA188f27e5db9a8da4025c90d299e19a2cc15d85f6c
SHA2561825a57bfd027e96b47e85f789dd3e15f56980464df7c60fa7600f0f37153167
SHA5123bfe99c999eef5d944ba5042ec6edb8c546e67224f3a13342ca9992105c1a1cf9928f43e3929bda288faa7f2cc9c55b5a7851e55c61689a795f71d406d7ed557
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
51KB
MD5a7d7793318e8460f41bc73ffdaa4bf3c
SHA16b556b531ce4e07ffbc77f4d8eddd4f80c858438
SHA256fffbc97502fc6b21552ca1fe3537a78a56a2553632938b2d4916295c47a26de9
SHA512ddf9588a9d237e652b00cd089a639571698a5d8e3961b1accfc509412b1f9b0507a590d71ce4aea44cd3031594487c6badbcbad296fdee8bfedef23c79d442cf
-
Filesize
14KB
MD5f629c391bb2a555d7201ba313533cb61
SHA1b738978d501b563e12a25480ff8581a1023979b8
SHA256a841624b9936a625f45cfffc446271be2191c3204bf7baa7bdf8890e6db691f3
SHA512d488dbaa581e6629ec8659574abcacc8a80b763b33340ff2dd01801f9fdc316ba7f40bbdc59953fe45a3e43712c3d3eebc23546281f596066160eda5f9096b04
-
Filesize
94KB
MD5195a96edf53ff80a7cf419744723a51e
SHA153bcdfba9c43063d10e3d8e6f601d49c221d9b93
SHA256366fd97e3ced8777b98c5203c9684482e56eb38288be159d31ed54ba4e38d0b3
SHA512cd1fcae11f40ca7f636b1eb1897330c05e8e710f411d5c33298ecdd7037944634a0179bc4a1435ed4762894428844b2ef02f6044d5d69fd83e9c0d624bf53c63
-
Filesize
51KB
MD59eb5963e5d1f1b50eda17ec0743189aa
SHA19e3c6668a9d148f2e2efdf91f7a8f63272aa68a9
SHA256761af1f43943c43177d47ebb89fada2583481afb3c9655c25665d22a39994d67
SHA51209b3a32662ee6bbe9cd426e9c09e096de7b673f46a8430ac18fb7f85a0c79a51055e034e46167bb03f82a740bb5fdf577503cac9cbf1c3bde0e895355d619831
-
Filesize
98KB
MD579efba76fd8b1b30963707b8bf350501
SHA1592fd780aa9951639570f3bd7b148bedc6744860
SHA2567a41b11bb70e4babb6ed10a663a67cc5b9b74c3112bb2b2258db5ab74082e141
SHA5123b8d97a26610010a06a0f90d94c486cec060c787977e6a72c54bcb73797c9cae1985974188d85119c15903a98558fa41ce9215fb85f4fbf0256bb1e9b501c555
-
Filesize
439B
MD5b9991072e589e18038ff84065b53af77
SHA1d820d9d1578ca28065ab893c96baadd0c8f19e11
SHA2564fcbf02ff9dbaab6570a24dfc8377d05433d124c3b6cd5afe08e3d0e5a36e78e
SHA512de0898d82aa8472157a83c08508eb61d2b2769574d1236f6f548dfc92d5b41130a50b65e0268bfbf559f962aa2a619eacd5a1e95972ba9a4ad7c428db6a837e2
-
Filesize
68KB
MD571426d9aa93b60c078ed07ad60c6a8e2
SHA126b8b144ab732eb129d6a606ac6217886832451d
SHA256dfacbe1a810d928348af9a9e49c57532ebae04209c0250733512656ac9719786
SHA512b51d5c7873989bd5952febddd1bb6e3c77880831cbb56b383ebec0fb0f2a55b9c3f603ba8eb3291ae34a3ef4288f833ffabd0e58dc030110e081034318b95dc8
-
Filesize
86KB
MD58c7367ec5aa6710a1f86257b6cb93c0e
SHA1b0948cb7c8ee6ab0456bc65cb3ae64e1e6099b14
SHA2562848a8fde81ca7346a6c2ff41221e5685efe6c16e446a60d58e336632f2862da
SHA5121fa61b1d1b6ee2c6ca5a7180f37d4c0f3f66e457d70789290d62e62e03f4a45bf0913cd1277829e714bd0a580c9de477b30b3793735388f13f5d684a6de22e37
-
Filesize
12KB
MD5443e110af53edec1b8740aa7b3a23f13
SHA10ec9b9fdec57a1d3e85b343a6437abfaaa3d4a9e
SHA2560973c477dc7071e83ad0517554746bb998a039d201a5c0d9b9b60a2d07a479b6
SHA512bdc147703cf7351879bfdc55832d6394ca439cdf58e9a0a6916afdfa5e5b42408a10488b14396fc96361a2d6e6f1319412e936963ab10f64fb5d9ffeffaba919
-
Filesize
97KB
MD58b6e671bcde125b3094e8a844dc83eb9
SHA1e7c73663a7c3be3de944ab26f2feab68411572b3
SHA25605536696a886b9ffc228f97bf9399113e0e335f6d416c53ae15053f595d8ab78
SHA51261f66ff7c80fcc938ec9462e9e1832e0e578dc9888431b25077eef09fcaad90738c931cbb519ba5aa38dbd811aa5d7b78e14b49193181fd9acd01b2312430e49
-
Filesize
65KB
MD5d13978a7fbeeeac4d9a8fd32a2a0fc44
SHA1ac9be13532e6993808402ffef4b34543caa6b607
SHA256dffdea2c723deb402f2ffcbba9e8fa47ba5046371111cd9c65885d421f19049f
SHA512a6401b0930c4373b3733e45b6691e268cba8aa73de5a6674ed5d16b60471d98b5169731393a75eb99176e58a96ee4f998abb9fbb007bd060686ec846b55b5e2f
-
Filesize
56KB
MD5ceb785c3c2227d14c636d37dc081d3db
SHA15c53280255c3ea1cfa7ed88a030cb4fe04e46358
SHA25661f0a3caddf75516d64aba9dd3c00ef223161473c1425670f217fcb818548ab5
SHA5121d7552a26c7ba7fd9c76b5b888873c2e6896d68797106a5b77f8659d5ce0dd72436c15372bf955783bf1e377d7c0c836cbff0dd25f04d67abe9f2e9b778642cf
-
Filesize
88KB
MD5598ffca35e33b4fc2302a61bf056658e
SHA1826d3ec448ce0fd7ce284bd86b732411882ef2c2
SHA256775d09d656b3beb4d711cbb12759cb876f3a6a39b711e805bc94d1eefb98fd7a
SHA51269eaf29ff30e14b3b06a0d33e027b0dc7ebdfbbac86baa6f9b7ece2fea47e3d602fa07c36d75f6b8d9d44827c5514d1551b9ec6762c4008d2075a0619c964fc4
-
Filesize
86KB
MD5abd0e032eea4b26922ce864c12450b46
SHA17ce3ba254fc7ccedebb77d651d18de8b710c297f
SHA256215d9e7fb728fe11bfe89fb072d4f6bd2903504c466ed5c8ca0c5029b12ca5b2
SHA512b05d06b8499116d85b84542b5c9ce82b36f7433d439006c89fcc29e7572fc3f15a4cb56ada719b16ec66eee28d3be0a02e4ff66a8a4cbcc420bfe3ed8e508664
-
Filesize
81KB
MD51cf6c3ab870856b9143535d189dfd914
SHA1cad46a3ad0007cd4ee9c678edd44be319102b41c
SHA256090c755e487d0512dba6b57c4aef1e97bed9e68f4a2bf9fa7fe8056cb8231a6d
SHA51251728fcf8ec19d7dd9d42dfd6a6d07823999d6a1a92fa152c6b19bb28f2030260515a3449b06d1e09e2049676cbd7b05a1d492128a53de363c5ac916d4e606b3
-
Filesize
872KB
MD5f6b8f6a0a90ed6f136efdc09ef936754
SHA189a60aaacf5150a16bf452f709b772ee0a6fdeb7
SHA256b64f73910e0bc4fcbb71acfff0421634773db82174349a344c5d12eae2b91826
SHA512d003a98cfd71d5ae7068f7821a96a504ca110c0686059b205c6dea71a262dbd13528e09a5c82962d87e4e5ba5a106571a2f69b66403d466d6656ae933669c913