Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
29-08-2024 05:53
General
-
Target
0024f2af21d239ce45c14ce295b28ac2.exe
-
Size
11.1MB
-
MD5
0024f2af21d239ce45c14ce295b28ac2
-
SHA1
51c27e4c16ef9b68874ced062d29e357a380d25b
-
SHA256
eabcd20c183903046a1d28b72a6178da24879d8057594334ce300bc969c7e23d
-
SHA512
741edd582ce34c352c6965cc4487408b18e63e2fb0bb5ae8c103de5c02e56cb22fa80c83d3b69b03b6e315fd7694ffa22d948adbe2f3eb38f5eb5ed4c1fad545
-
SSDEEP
196608:MOJ9gF/d8f23gg1tvLpPEBKqY1iyvB6nBtPISH95B08fVBTyRKfqrUM+kLsOiLlU:MOJ9gF/d8f23gg1ZLpPEBKqY1iyvB6n6
Malware Config
Extracted
rhadamanthys
https://5.42.99.131:443/e0bd9c1f4515facb49/m58gpf5u.6eabm
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe"C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56faea803a5902bd879d2bf4f1964b6e2
SHA1314061f6c04b1aa25896a3328a210c038e2d4591
SHA2564b0c650df5a533c72f46c585d384d703bf4c19df04ca398ddbda675245bad62a
SHA512cf16c7dcb3b13fbf5ee92427472ef3d7031835ba1acb29b174c97c57e2f4aa0e42b62727e7fa5a5247c9cf56324449511cf9fc57c4392bd1c321053515fd593e
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
512KB
-
Filesize
1.7MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
11.1MB
-
Filesize
11.1MB
-
Filesize
4KB