Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://t.ly/kQE4e

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    26-08-2024 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://t.ly/kQE4e

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://198.135.48.191:3090/7cc6bd8a9e6893408/1tlibt59.73eni

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:1480
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3628
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.ly/kQE4e
      1⤵
        PID:1944
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=ja --js-flags=--ms-user-locale=ja_JP --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5056,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:1
        1⤵
          PID:3608
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=ja --js-flags=--ms-user-locale=ja_JP --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4348,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:1
          1⤵
            PID:2164
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=ja --service-sandbox-type=asset_store_service --field-trial-handle=5412,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8
            1⤵
              PID:5744
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=ja --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5464,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
              1⤵
                PID:4528
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=ja --service-sandbox-type=collections --field-trial-handle=6164,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8
                1⤵
                  PID:3252
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=ja --js-flags=--ms-user-locale=ja_JP --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6188,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:1
                  1⤵
                    PID:116
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=ja --service-sandbox-type=service --field-trial-handle=5460,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:8
                    1⤵
                      PID:2728
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=ja --service-sandbox-type=none --field-trial-handle=5624,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:8
                      1⤵
                        PID:228
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:3816
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=ja --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6708,i,13462514811695382832,13975351635256047125,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
                          1⤵
                            PID:1964
                          • C:\Program Files\7-Zip\7zG.exe
                            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\" -spe -an -ai#7zMap22316:96:7zEvent9229
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:5212
                          • C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\画像およびビデオの著作権侵害の証拠.exe
                            "C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\画像およびビデオの著作権侵害の証拠.exe"
                            1⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4732
                            • C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\画像およびビデオの著作権侵害の証拠.exe
                              "C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\画像およびビデオの著作権侵害の証拠.exe"
                              2⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:3524
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 464
                                3⤵
                                • Program crash
                                PID:5592
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 500
                                3⤵
                                • Program crash
                                PID:5612
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
                              2⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:4952
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
                                3⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:1260
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 3524
                            1⤵
                              PID:1324
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3524 -ip 3524
                              1⤵
                                PID:228

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\epatent.dll
                                Filesize

                                25.0MB

                                MD5

                                b896496cd2d93761423c4a7f8c51b9bb

                                SHA1

                                d986f06d2a4db282f7d3cf8bf0b253e0e38d30d1

                                SHA256

                                82932459183f7c47c1578782c0f8f466abeded7632a7da27072520c18c916478

                                SHA512

                                e164882383f00ffce52f7ae1bdfafae06d189b48b1400bebcc55f26bd53e4c8698ae0261a63b5ec7c642d7dc29998336df62ff80d3a51b937617893f27a60bd0

                                Download Submit

                              • C:\Users\Admin\Downloads\画像およびビデオの著作権侵害の証拠\画像およびビデオの著作権侵害の証拠.exe
                                Filesize

                                727KB

                                MD5

                                d858d89ed151c44200931c41def7bcdd

                                SHA1

                                0a966b1a9ce0687070211e69c980050ca4ca95fd

                                SHA256

                                07f0a1b37e9b3b1eaa15a5ea28ba1d17608f2726440329d071236500984fcf20

                                SHA512

                                9d588a1ad4db194bc75efa4f759220712d72d3971695663100602ea555ab8b7d3ef91fe130963584647891f2b83199ed2e8ff1ee473cee1a0f4438835dd35846

                                Download Submit

                              • memory/3524-30-0x00000000757E0000-0x00000000759F5000-memory.dmp

                                Filesize

                                2.1MB

                                Download

                              • memory/3524-27-0x00000000036F0000-0x0000000003AF0000-memory.dmp

                                Filesize

                                4.0MB

                                Download

                              • memory/3524-24-0x0000000000700000-0x000000000077E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/3524-15-0x0000000000700000-0x000000000077E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/3524-26-0x00000000036F0000-0x0000000003AF0000-memory.dmp

                                Filesize

                                4.0MB

                                Download

                              • memory/3524-23-0x0000000000700000-0x000000000077E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/3524-22-0x0000000000700000-0x000000000077E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/3524-28-0x00007FFC6FE30000-0x00007FFC70025000-memory.dmp

                                Filesize

                                2.0MB

                                Download

                              • memory/3628-33-0x0000000002B40000-0x0000000002F40000-memory.dmp

                                Filesize

                                4.0MB

                                Download

                              • memory/3628-31-0x0000000000D60000-0x0000000000D69000-memory.dmp

                                Filesize

                                36KB

                                Download

                              • memory/3628-34-0x00007FFC6FE30000-0x00007FFC70025000-memory.dmp

                                Filesize

                                2.0MB

                                Download

                              • memory/3628-36-0x00000000757E0000-0x00000000759F5000-memory.dmp

                                Filesize

                                2.1MB

                                Download

                              • memory/4732-18-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-25-0x0000000010008000-0x0000000010027000-memory.dmp

                                Filesize

                                124KB

                                Download

                              • memory/4732-10-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-14-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-16-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-20-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-13-0x0000000010000000-0x0000000010398000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4732-11-0x0000000010008000-0x0000000010027000-memory.dmp

                                Filesize

                                124KB

                                Download