Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 05:53
Static task
static1
Behavioral task
behavioral1
Sample
1e064eddcda0b1a5a6d864b79d91bf26.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1e064eddcda0b1a5a6d864b79d91bf26.exe
Resource
win10v2004-20240802-en
General
-
Target
1e064eddcda0b1a5a6d864b79d91bf26.exe
-
Size
1.5MB
-
MD5
1e064eddcda0b1a5a6d864b79d91bf26
-
SHA1
dd50f163bdade043b2f9845e481ae7debcceaa4d
-
SHA256
28319673d8f382142e223302ede1e0e497ccac2cd7a9814715726335e78c29c7
-
SHA512
87b0b37a13fbf79316c150f0e69525703888f28312c8efcd8ac2db8832e6385dabd04261a86d8f183a20e64dea12d4a0fb07c81536b6f2c5726847f8e654347c
-
SSDEEP
24576:GzZTGqTlTTuRQghvPWL5zLntgJET0uItpLkzX7kBJGypqL9HFmsFmFd:GgkTTuxpWLBnGJEgaYBJgHFxmFd
Malware Config
Extracted
rhadamanthys
https://172.236.107.96/5502b8a765a7d7349/0d2mumm6.wcnlc
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Solomon.pifdescription pid Process procid_target PID 2564 created 1272 2564 Solomon.pif 21 -
Executes dropped EXE 1 IoCs
Processes:
Solomon.pifpid Process 2564 Solomon.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 2688 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 2724 tasklist.exe 2728 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e064eddcda0b1a5a6d864b79d91bf26.exetasklist.execmd.exefindstr.exedialer.exechoice.execmd.exefindstr.exefindstr.exetasklist.execmd.exeSolomon.pifdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e064eddcda0b1a5a6d864b79d91bf26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solomon.pif -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Solomon.pifdialer.exepid Process 2564 Solomon.pif 2564 Solomon.pif 2564 Solomon.pif 2564 Solomon.pif 2564 Solomon.pif 2804 dialer.exe 2804 dialer.exe 2804 dialer.exe 2804 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 2724 tasklist.exe Token: SeDebugPrivilege 2728 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Solomon.pifpid Process 2564 Solomon.pif 2564 Solomon.pif 2564 Solomon.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Solomon.pifpid Process 2564 Solomon.pif 2564 Solomon.pif 2564 Solomon.pif -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
1e064eddcda0b1a5a6d864b79d91bf26.execmd.exeSolomon.pifdescription pid Process procid_target PID 2160 wrote to memory of 2688 2160 1e064eddcda0b1a5a6d864b79d91bf26.exe 30 PID 2160 wrote to memory of 2688 2160 1e064eddcda0b1a5a6d864b79d91bf26.exe 30 PID 2160 wrote to memory of 2688 2160 1e064eddcda0b1a5a6d864b79d91bf26.exe 30 PID 2160 wrote to memory of 2688 2160 1e064eddcda0b1a5a6d864b79d91bf26.exe 30 PID 2688 wrote to memory of 2724 2688 cmd.exe 32 PID 2688 wrote to memory of 2724 2688 cmd.exe 32 PID 2688 wrote to memory of 2724 2688 cmd.exe 32 PID 2688 wrote to memory of 2724 2688 cmd.exe 32 PID 2688 wrote to memory of 2880 2688 cmd.exe 33 PID 2688 wrote to memory of 2880 2688 cmd.exe 33 PID 2688 wrote to memory of 2880 2688 cmd.exe 33 PID 2688 wrote to memory of 2880 2688 cmd.exe 33 PID 2688 wrote to memory of 2728 2688 cmd.exe 35 PID 2688 wrote to memory of 2728 2688 cmd.exe 35 PID 2688 wrote to memory of 2728 2688 cmd.exe 35 PID 2688 wrote to memory of 2728 2688 cmd.exe 35 PID 2688 wrote to memory of 2604 2688 cmd.exe 36 PID 2688 wrote to memory of 2604 2688 cmd.exe 36 PID 2688 wrote to memory of 2604 2688 cmd.exe 36 PID 2688 wrote to memory of 2604 2688 cmd.exe 36 PID 2688 wrote to memory of 2556 2688 cmd.exe 37 PID 2688 wrote to memory of 2556 2688 cmd.exe 37 PID 2688 wrote to memory of 2556 2688 cmd.exe 37 PID 2688 wrote to memory of 2556 2688 cmd.exe 37 PID 2688 wrote to memory of 2576 2688 cmd.exe 38 PID 2688 wrote to memory of 2576 2688 cmd.exe 38 PID 2688 wrote to memory of 2576 2688 cmd.exe 38 PID 2688 wrote to memory of 2576 2688 cmd.exe 38 PID 2688 wrote to memory of 2684 2688 cmd.exe 39 PID 2688 wrote to memory of 2684 2688 cmd.exe 39 PID 2688 wrote to memory of 2684 2688 cmd.exe 39 PID 2688 wrote to memory of 2684 2688 cmd.exe 39 PID 2688 wrote to memory of 2564 2688 cmd.exe 40 PID 2688 wrote to memory of 2564 2688 cmd.exe 40 PID 2688 wrote to memory of 2564 2688 cmd.exe 40 PID 2688 wrote to memory of 2564 2688 cmd.exe 40 PID 2688 wrote to memory of 1076 2688 cmd.exe 41 PID 2688 wrote to memory of 1076 2688 cmd.exe 41 PID 2688 wrote to memory of 1076 2688 cmd.exe 41 PID 2688 wrote to memory of 1076 2688 cmd.exe 41 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42 PID 2564 wrote to memory of 2804 2564 Solomon.pif 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\1e064eddcda0b1a5a6d864b79d91bf26.exe"C:\Users\Admin\AppData\Local\Temp\1e064eddcda0b1a5a6d864b79d91bf26.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Pad Pad.cmd & Pad.cmd & exit3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2413194⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "RosesRtEagleFiled" Arrived4⤵
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Christians + ..\Toll + ..\Farmers + ..\Ga + ..\Hole + ..\Backgrounds + ..\Beverages + ..\Interactions + ..\Receivers + ..\Dos + ..\Willow + ..\Lindsay + ..\Photographic B4⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\241319\Solomon.pifSolomon.pif B4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:1076
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
881KB
MD5391e7eccd25c6827bb347558f79f463a
SHA1774ab388b256f6aad4ff5bf5175c7f4578ea6621
SHA25677b091364e68e3b076e5310557be325c36c294c1e4d00a558953725409842610
SHA5123c1505040a33534153d5316fb7c89736517463aa5d3b1278dc8e95e9f924823dd0a45570a5f4786e31af98a2cad046ca53767a576ccb5a3f339bfea190d9f700
-
Filesize
310B
MD50185a56db42a165ee45de3a7697cd719
SHA19f32533c96636b612de43b3fb2fb39b401c56eea
SHA256930d658e77f5e2ac85a8bd77265fce46172b2479aa3531f7a3e76b224040b2da
SHA5129565e7b139af0a5df3bed991ae7b68d38c7cec68814c3a00935b5e09cef7bc0af5c08035b56dfa00bcea413c334b4f57e8c0d78d0c8966b15e20aeeba728046b
-
Filesize
55KB
MD5ec7c849ef51aaa808fb2e2b01167257a
SHA10fda701090fe3369884ee2acc0bc2f52d21ba388
SHA2565916a7c92f9b67bf550ceeb624a156f03459abb95e01dee51977ade86ec7aa76
SHA512cb6ad028815f0b36a0ba2004c9a5aa8c9e9848a7c0bb33dbe9b8242895bcc3e7dbbdad0206b116df63b33dd3774db7ebf5637ca5b766ad81311dfb576933e498
-
Filesize
72KB
MD506636ebff20fd670a34f17dc0660a02f
SHA150842e5e33e54ce5977b700752d487c9f0d3fa76
SHA256639b705356aa04fc87362eb38b2df7191a90cafacba651ce10ce021c2bcd3ac5
SHA512311a39e4b0ea802c91df652717e3f81f438934eea02c1cb20aadc851617e25e86647a6585b48525f76fbf4c0878d07c884bfe0ce29c94c3900944a9a7297cb1d
-
Filesize
53KB
MD5c39d2152ca76a49430b22fa8c3bad4a6
SHA1a068ce67d60f03ce5610e95e18d1939bb78a8f51
SHA2565cce3a0553e66e57f67ce2b3b8380f71b6f2753c6d04f5f271c5c149004ea87e
SHA512c71f104c77ba719e1d7e9254f703be0ae0306257f129bb59bdd257b39b37c2f897c375e56dc9fa10653c0d5acda09e456d9d7def59a53c5cfecb28ed176a72b8
-
Filesize
91KB
MD517187b1c133cca101979e834227a8462
SHA13ca5d1aefee73a163159af4783e148cc05997f5d
SHA256ed7fef33a92437398f347fc6c71b4fcd5984ef931a62086f0a8d8d3cdb47bf2f
SHA5127ba6d0c9b3537e1370d8bdf3d1c7123dae0bae9695b763982cbc2d971d9b3cc880b7ba85d9482e9407794a086e9bb5272c2d1051b45653dd06aad93b6e1d8c3f
-
Filesize
67KB
MD5374e9f8645d8c9c84dbca3d376fa2232
SHA1f13e58ec275492380f3d61e2815c76752b844524
SHA256441800d470891d917c98a60509f5fb409d792f6b302b4fd680481c75e3b739a6
SHA5122e9c2ab2deaa2745e9026f9f906f0c8267ec7334327ea5c30ec108b57145411207f4a33b20ac1763a4359cba30d261ab66a0613c798061ce118f40150047a54e
-
Filesize
89KB
MD58ce1b99268919ae2a322960c1389b430
SHA130bccec43fd9778578ba614b6ce28309ee990c65
SHA256f5ccd2bd5a685a8d9b299205430364e1c1861b4211eda42c0a9aa1dfe46a342c
SHA51288cadb5c905805c259c6995f2c743b5672e6d3fec85903e263f40b2232d2451f2f28fb1e597c4ffaa98947d870cb8b2191e87ad45103169e254c0d3ad99fd913
-
Filesize
76KB
MD5efa7870410bd5ea7354d44e92c7b003b
SHA18a34b6f22d3762f256e4e29f9d4545eaa77c6dbb
SHA256215d284cc65cd710287417d71029135d06451495d6a55d4b9325702064fba5b8
SHA51230ec41ebd13c27796aafc8600ccdb9c5a547aeaba96a00f74802b1cca4ba251fa5de311f842e398f174119862296978a3d22180eabeb2abfb58b8da8193de45e
-
Filesize
90KB
MD5de1bb709f102c6ae90cd5fac04443161
SHA1d2beeed4dbcbb77b62e8b39b9ce75eb03d102d05
SHA2561b32207d8e9edace6fb6e6dec67f3be8a2d47db06d59f25c2dd636e898b9a30d
SHA512c1c818f068e18a179d7f5ffeadf8426bf2fa77514c572f5b5ae74dd9884569421e643bb58c5cc2448d20b28b5fd08834aed4894c0921417fcfe1d2533c5ca351
-
Filesize
88KB
MD510e8fb672200f58c8b9890d80f7397ac
SHA144ffe61d318bfba9ba9f4e0945540ea7e2ee17cc
SHA2566f577dd0f31f69c9a8af9fb5b7fe767e45412cff5c4cc38096aa296f6bc990ab
SHA5123739397a2e6026a807d37e31d5a901829b386151009762c1cfa5352fd7987161d02a12ed667c136d1168999f09ff9b52bfe062a764a314bd93d244446a7c4b68
-
Filesize
13KB
MD5959f5dd61aee97cd58e990d904a7d616
SHA1f55f89830f5cc630d03b8616d762261ca17302bb
SHA2564e7c71ec0fbd5a49568131b48c5d56a6c34f98d5643012d5f076858c9d678d50
SHA512909fb61e40943b10b3546ee1a54f10a07e2e45c1df2ed7b68483cd5b6fe3de8564f88fa5f3e66a0f57322e2c679baa33cffc46637b58c00a4934a60c9cef9c2a
-
Filesize
9KB
MD54fcfb49cf9b7e9275aa361d66295eebb
SHA1455f6315bfe03be71beee000f3d806c79b676aaf
SHA25672d49c2b48d48a01eff21525e92ba32fd5024f48435e9b2e76842f431db637b6
SHA512b0ec679e7e7f2f93c6e2d97adab7c6c2e9969ae43961150a5295e67c2e468e9a51c3bf053f40033bfe4a9c9f2113db31808c536b7796d5d2423d4fe92609e72a
-
Filesize
56KB
MD57492e93eb182c4a192a575434d44fce2
SHA1cd1484af93b075e6ebbf0bed13d38c2a2bccd023
SHA256a4446752a39b33c87e67c04be85daa18493b07d7e4589985b936e5f02f83b60d
SHA5129d0a3f12d0641d3edfdf3951961c8f9300bc0280d1657a3f1389ee746b24127c588f1bcbeab12af4aa44f5b30e29c9a478b3e38fb8f829955e36896b46a4f196
-
Filesize
872KB
MD5c9f4552f24606020ccce3341611d353e
SHA130636bf578a9a05404d50bde21088b6d6a05e111
SHA256bc52236d68e32251d82f6529c06b158f91688d12b63d9aec65dbb493d74177a3
SHA5122d17f3dc86740689311cd941b55fb4b75b3791324116e4d0c5ae29c2f190ef15ed31ac141523a32a0c129466e18abc163b4141cf596b64542e5c5871dcbc8d21
-
Filesize
54KB
MD50b822930f43feb6a523e2b7478c943b2
SHA16bd39e29ab1b4e475c545ce41284b409759f8a64
SHA256d84721ee1bf5fe6eec6e4fb42a0a96a86a3bb10d02cd57590ceb10fba3609f46
SHA51257a96ebb9cf4f3d9d0e50512881c33fbba80f21fa593434a700a5019204803472e81d9f9cdf5ef1d3237f486afeca60c876b0bbcec2d10cd157e688c7a78658f
-
Filesize
81KB
MD5b0ed4fc0800b81de64aba363cd7fda59
SHA1a93167e4fc3bc6fe08f813d4b4d1bd5251020d6e
SHA256b98900ce6f107703f3c6c56f9c8ff4676fa0a7260c1698b23659bf3e7d5eb2f4
SHA512dd912543e31eb017261c8e2d47ba8587bc536e017d3a4f3f9f164ff12417a9117a6afee6aae5d587454b8972e06624f34c2f5e1f8463b3952126877028a91849
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c