Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-08-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240729-en
General
-
Target
file.exe
-
Size
2.5MB
-
MD5
61d31fb13c1dd46fcb03caf7f648508c
-
SHA1
ecd46d1e09bdfa50c1587690e70262bc14ba751c
-
SHA256
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
-
SHA512
c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
-
SSDEEP
49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
Malware Config
Extracted
rhadamanthys
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Extracted
xworm
5.0
TN3sSNYI1fDMFOs2
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/jxfGm9Pc
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-122-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
V3.exedescription pid Process procid_target PID 2580 created 1364 2580 V3.exe 21 -
Executes dropped EXE 2 IoCs
Processes:
SendBugReportNew.exeV3.exepid Process 2660 SendBugReportNew.exe 2580 V3.exe -
Loads dropped DLL 7 IoCs
Processes:
file.exeSendBugReportNew.execmd.exepid Process 1936 file.exe 2660 SendBugReportNew.exe 2660 SendBugReportNew.exe 2660 SendBugReportNew.exe 2660 SendBugReportNew.exe 2660 SendBugReportNew.exe 1960 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
SendBugReportNew.execmd.exedescription pid Process procid_target PID 2660 set thread context of 1960 2660 SendBugReportNew.exe 32 PID 1960 set thread context of 1292 1960 cmd.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
timeout.exefile.exeSendBugReportNew.exeV3.exedialer.execmd.exeMSBuild.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SendBugReportNew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2768 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SendBugReportNew.exeV3.exedialer.execmd.exepid Process 2660 SendBugReportNew.exe 2660 SendBugReportNew.exe 2580 V3.exe 2580 V3.exe 2500 dialer.exe 2500 dialer.exe 2500 dialer.exe 2500 dialer.exe 1960 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
SendBugReportNew.execmd.exepid Process 2660 SendBugReportNew.exe 1960 cmd.exe 1960 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 1292 MSBuild.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
file.exeSendBugReportNew.exeV3.execmd.exeMSBuild.execmd.exedescription pid Process procid_target PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 1936 wrote to memory of 2660 1936 file.exe 29 PID 2660 wrote to memory of 2580 2660 SendBugReportNew.exe 30 PID 2660 wrote to memory of 2580 2660 SendBugReportNew.exe 30 PID 2660 wrote to memory of 2580 2660 SendBugReportNew.exe 30 PID 2660 wrote to memory of 2580 2660 SendBugReportNew.exe 30 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2580 wrote to memory of 2500 2580 V3.exe 31 PID 2660 wrote to memory of 1960 2660 SendBugReportNew.exe 32 PID 2660 wrote to memory of 1960 2660 SendBugReportNew.exe 32 PID 2660 wrote to memory of 1960 2660 SendBugReportNew.exe 32 PID 2660 wrote to memory of 1960 2660 SendBugReportNew.exe 32 PID 2660 wrote to memory of 1960 2660 SendBugReportNew.exe 32 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1960 wrote to memory of 1292 1960 cmd.exe 34 PID 1292 wrote to memory of 2992 1292 MSBuild.exe 36 PID 1292 wrote to memory of 2992 1292 MSBuild.exe 36 PID 1292 wrote to memory of 2992 1292 MSBuild.exe 36 PID 1292 wrote to memory of 2992 1292 MSBuild.exe 36 PID 2992 wrote to memory of 2768 2992 cmd.exe 38 PID 2992 wrote to memory of 2768 2992 cmd.exe 38 PID 2992 wrote to memory of 2768 2992 cmd.exe 38 PID 2992 wrote to memory of 2768 2992 cmd.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\Javaoraclev4\ILOHPRARICBXFF\V3.exeC:\Users\Admin\AppData\Roaming\Javaoraclev4\ILOHPRARICBXFF\V3.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp43C4.tmp.bat""6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2768
-
-
-
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51e630e9a669719afeb5ed237ef4ea782
SHA1e9f6d109778af162a658ef163f3f92e017ac4413
SHA2569dccd0474ce1598b45a78d751c7da2e24bcf35f106c383b7e24a2b46aa5f492d
SHA5124030bb8b0fb3a1821112df080845da3b486f46429df71e1161b14db61a2efa7480f8b3f3da1487b68378ef08c53a817866f0b25c3e7ad1127722efd7f0cf4424
-
Filesize
960KB
MD56fd4005525f3029cd0e664e5729f048d
SHA1bcdd6ed97c89c33e24f15cc76ddf6a8db9136218
SHA25620353143a20e7962473b12a4614b0874327c130a309f6d7b15ac5fd7214c2d13
SHA5120cf2a9abc6d92628c226e0d86203532105234be5e0bb519f8a7f564f3c4b5514e6f3a682ec1ee16a61aff34afc2a26110b9e0b8bdfa191ee7c1f7f0a16d9eeb9
-
Filesize
31KB
MD58ade14406162e1acd567b99843aeafb9
SHA176886ab3d6c8c62a9b5fc9d3785b4395e0a75678
SHA256a465457514e861e867729368e650b69861e4c8a3ec547a30e67b3aec77599724
SHA512bde1333a1cd35cb3c24db0055d1f761f966c68ef3a1b7060aa204f07813b0b697c6dc6700736804d05e41be15367493a13e1a9897cc5aa5ef1bc831dc6618905
-
Filesize
1.0MB
MD5c80f3b711d04c486ccdf3740689b3569
SHA1c8724122282a018f8fb9f8775d0615311da4fd70
SHA256a4df6624a65c83002e97d81d96bd85c3b1370129c486bd43cb399e76a6e4d393
SHA512e977a1118b3b94fdac13073e9c60f8e43531cd8f0136f60774fd891175815c3839a316aef496d6e5c3038cc119dd936356b1d01c521e3bc9c1c01f1be998d4b7
-
Filesize
171B
MD581f023941ea74e0dc2f28a952ed2b714
SHA12045bb83c2025719f737b3a035ca95df93707d6d
SHA256c4999fad8d0bf1d431a817ebb8e708364a8091ec679a4d1aedd549fe1b785457
SHA512ab2e75b7477846c51056b6b8d0b16ced945bb2962e1f7417326ab3a7a97179a8bcc6c17eaeab20eba551c3a38b5aa59a66d621fb336db83b5d2ae69a31374e25
-
Filesize
1.9MB
MD59a438a75e68e88cdabc13074a17f8a52
SHA197c94801d37d249ece7ba9aca05703303fd9cf06
SHA256ccccadde7393f1b624cde32b38274e60bbe65b1769d614d129babdaeef9a6715
SHA51219d260505972b96c2e5ae0058a29f61e606e276779a80732dbee70f9223dbff51dcb1f5e4eff19206c300ee08e6060987171f5b83ad87fdd8f797e0e2db529fc
-
Filesize
223KB
MD58aaa3926885b3fa7ae0448f5e700cb79
SHA147bd7d281ddde5ebef8599482212743bf2f7e67b
SHA25647396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d
SHA51286d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a
-
Filesize
1.3MB
MD558717509c1521eacfcc7cda39e6bd45c
SHA15102dc3a82e8a2710ac67521f85f43f5296b5045
SHA256d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a
SHA512c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f
-
Filesize
423KB
MD5ae36397a23d16920ddfe4dfec24f6b85
SHA149f1edaf5af83457fc10d1e73680b59202057e28
SHA256e36bbdf75e56c4d0562ba5aba9e78d483a6196fe1ec891cc71ef9db5556c9c81
SHA5127642e0509969b1de936f6f30a7a899bceda2dda526759911f2ff47bd32002dc992322d02347d26dfd3eb0594922f068bf9be20bb760ce08a006f64d78781d0c3