Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 05:53
Behavioral task
behavioral1
Sample
0024f2af21d239ce45c14ce295b28ac2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0024f2af21d239ce45c14ce295b28ac2.exe
Resource
win10v2004-20240802-en
General
-
Target
0024f2af21d239ce45c14ce295b28ac2.exe
-
Size
11.1MB
-
MD5
0024f2af21d239ce45c14ce295b28ac2
-
SHA1
51c27e4c16ef9b68874ced062d29e357a380d25b
-
SHA256
eabcd20c183903046a1d28b72a6178da24879d8057594334ce300bc969c7e23d
-
SHA512
741edd582ce34c352c6965cc4487408b18e63e2fb0bb5ae8c103de5c02e56cb22fa80c83d3b69b03b6e315fd7694ffa22d948adbe2f3eb38f5eb5ed4c1fad545
-
SSDEEP
196608:MOJ9gF/d8f23gg1tvLpPEBKqY1iyvB6nBtPISH95B08fVBTyRKfqrUM+kLsOiLlU:MOJ9gF/d8f23gg1ZLpPEBKqY1iyvB6n6
Malware Config
Extracted
rhadamanthys
https://5.42.99.131:443/e0bd9c1f4515facb49/m58gpf5u.6eabm
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x0000000000F1A000-memory.dmp family_hijackloader behavioral1/memory/2988-16-0x0000000000400000-0x0000000000F1A000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2736 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0024f2af21d239ce45c14ce295b28ac2.exedescription pid Process procid_target PID 2988 set thread context of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0024f2af21d239ce45c14ce295b28ac2.execmd.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0024f2af21d239ce45c14ce295b28ac2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0024f2af21d239ce45c14ce295b28ac2.execmd.exepid Process 2988 0024f2af21d239ce45c14ce295b28ac2.exe 2988 0024f2af21d239ce45c14ce295b28ac2.exe 2736 cmd.exe 2736 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
0024f2af21d239ce45c14ce295b28ac2.execmd.exepid Process 2988 0024f2af21d239ce45c14ce295b28ac2.exe 2736 cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0024f2af21d239ce45c14ce295b28ac2.execmd.exedescription pid Process procid_target PID 2988 wrote to memory of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 PID 2988 wrote to memory of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 PID 2988 wrote to memory of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 PID 2988 wrote to memory of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 PID 2988 wrote to memory of 2736 2988 0024f2af21d239ce45c14ce295b28ac2.exe 30 PID 2736 wrote to memory of 2816 2736 cmd.exe 33 PID 2736 wrote to memory of 2816 2736 cmd.exe 33 PID 2736 wrote to memory of 2816 2736 cmd.exe 33 PID 2736 wrote to memory of 2816 2736 cmd.exe 33 PID 2736 wrote to memory of 2816 2736 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe"C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56faea803a5902bd879d2bf4f1964b6e2
SHA1314061f6c04b1aa25896a3328a210c038e2d4591
SHA2564b0c650df5a533c72f46c585d384d703bf4c19df04ca398ddbda675245bad62a
SHA512cf16c7dcb3b13fbf5ee92427472ef3d7031835ba1acb29b174c97c57e2f4aa0e42b62727e7fa5a5247c9cf56324449511cf9fc57c4392bd1c321053515fd593e