Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240705-en
General
-
Target
file.exe
-
Size
2.5MB
-
MD5
61d31fb13c1dd46fcb03caf7f648508c
-
SHA1
ecd46d1e09bdfa50c1587690e70262bc14ba751c
-
SHA256
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
-
SHA512
c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
-
SSDEEP
49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
Malware Config
Extracted
rhadamanthys
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Extracted
xworm
5.0
TN3sSNYI1fDMFOs2
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/jxfGm9Pc
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-80-0x0000000000D00000-0x0000000000D0E000-memory.dmp family_xworm -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
V3.exedescription pid Process procid_target PID 4776 created 2672 4776 V3.exe 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
Processes:
SendBugReportNew.exeV3.exepid Process 2120 SendBugReportNew.exe 4776 V3.exe -
Loads dropped DLL 6 IoCs
Processes:
SendBugReportNew.exepid Process 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 17 pastebin.com 18 pastebin.com 20 pastebin.com 21 pastebin.com 22 pastebin.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SendBugReportNew.execmd.exedescription pid Process procid_target PID 2120 set thread context of 764 2120 SendBugReportNew.exe 90 PID 764 set thread context of 4844 764 cmd.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
file.exeSendBugReportNew.exeV3.exeopenwith.execmd.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SendBugReportNew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SendBugReportNew.exeV3.exeopenwith.execmd.exepid Process 2120 SendBugReportNew.exe 2120 SendBugReportNew.exe 4776 V3.exe 4776 V3.exe 5060 openwith.exe 5060 openwith.exe 5060 openwith.exe 5060 openwith.exe 764 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
SendBugReportNew.execmd.exepid Process 2120 SendBugReportNew.exe 764 cmd.exe 764 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 4844 MSBuild.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
file.exeSendBugReportNew.exeV3.execmd.exedescription pid Process procid_target PID 1032 wrote to memory of 2120 1032 file.exe 86 PID 1032 wrote to memory of 2120 1032 file.exe 86 PID 1032 wrote to memory of 2120 1032 file.exe 86 PID 2120 wrote to memory of 4776 2120 SendBugReportNew.exe 88 PID 2120 wrote to memory of 4776 2120 SendBugReportNew.exe 88 PID 2120 wrote to memory of 4776 2120 SendBugReportNew.exe 88 PID 4776 wrote to memory of 5060 4776 V3.exe 89 PID 4776 wrote to memory of 5060 4776 V3.exe 89 PID 4776 wrote to memory of 5060 4776 V3.exe 89 PID 4776 wrote to memory of 5060 4776 V3.exe 89 PID 4776 wrote to memory of 5060 4776 V3.exe 89 PID 2120 wrote to memory of 764 2120 SendBugReportNew.exe 90 PID 2120 wrote to memory of 764 2120 SendBugReportNew.exe 90 PID 2120 wrote to memory of 764 2120 SendBugReportNew.exe 90 PID 2120 wrote to memory of 764 2120 SendBugReportNew.exe 90 PID 764 wrote to memory of 4844 764 cmd.exe 99 PID 764 wrote to memory of 4844 764 cmd.exe 99 PID 764 wrote to memory of 4844 764 cmd.exe 99 PID 764 wrote to memory of 4844 764 cmd.exe 99 PID 764 wrote to memory of 4844 764 cmd.exe 99
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\Javaoraclev4\OHMEDCOQYXCMA\V3.exeC:\Users\Admin\AppData\Roaming\Javaoraclev4\OHMEDCOQYXCMA\V3.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52deb4b8e491de7a2ce29e431f3ead39e
SHA165e63c35be5557758bbdd3b85bfe0d8048aa5139
SHA256a7dac9d2f6b80fdec98192371f7003df6dd23aea12b8bbdfd29135a1044903eb
SHA51201ad9289998c70c9d2f8528aca73b3a9bc86acc12099c0b2e4e129e0df2998d45bbdb0306ccc8ce9bd42e031813b24e40c126eaebd1b10b23ec86f7c70633d92
-
Filesize
1.3MB
MD558717509c1521eacfcc7cda39e6bd45c
SHA15102dc3a82e8a2710ac67521f85f43f5296b5045
SHA256d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a
SHA512c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f
-
Filesize
960KB
MD56fd4005525f3029cd0e664e5729f048d
SHA1bcdd6ed97c89c33e24f15cc76ddf6a8db9136218
SHA25620353143a20e7962473b12a4614b0874327c130a309f6d7b15ac5fd7214c2d13
SHA5120cf2a9abc6d92628c226e0d86203532105234be5e0bb519f8a7f564f3c4b5514e6f3a682ec1ee16a61aff34afc2a26110b9e0b8bdfa191ee7c1f7f0a16d9eeb9
-
Filesize
31KB
MD58ade14406162e1acd567b99843aeafb9
SHA176886ab3d6c8c62a9b5fc9d3785b4395e0a75678
SHA256a465457514e861e867729368e650b69861e4c8a3ec547a30e67b3aec77599724
SHA512bde1333a1cd35cb3c24db0055d1f761f966c68ef3a1b7060aa204f07813b0b697c6dc6700736804d05e41be15367493a13e1a9897cc5aa5ef1bc831dc6618905
-
Filesize
1.0MB
MD5c80f3b711d04c486ccdf3740689b3569
SHA1c8724122282a018f8fb9f8775d0615311da4fd70
SHA256a4df6624a65c83002e97d81d96bd85c3b1370129c486bd43cb399e76a6e4d393
SHA512e977a1118b3b94fdac13073e9c60f8e43531cd8f0136f60774fd891175815c3839a316aef496d6e5c3038cc119dd936356b1d01c521e3bc9c1c01f1be998d4b7
-
Filesize
1.9MB
MD59a438a75e68e88cdabc13074a17f8a52
SHA197c94801d37d249ece7ba9aca05703303fd9cf06
SHA256ccccadde7393f1b624cde32b38274e60bbe65b1769d614d129babdaeef9a6715
SHA51219d260505972b96c2e5ae0058a29f61e606e276779a80732dbee70f9223dbff51dcb1f5e4eff19206c300ee08e6060987171f5b83ad87fdd8f797e0e2db529fc
-
Filesize
223KB
MD58aaa3926885b3fa7ae0448f5e700cb79
SHA147bd7d281ddde5ebef8599482212743bf2f7e67b
SHA25647396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d
SHA51286d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a
-
Filesize
423KB
MD5ae36397a23d16920ddfe4dfec24f6b85
SHA149f1edaf5af83457fc10d1e73680b59202057e28
SHA256e36bbdf75e56c4d0562ba5aba9e78d483a6196fe1ec891cc71ef9db5556c9c81
SHA5127642e0509969b1de936f6f30a7a899bceda2dda526759911f2ff47bd32002dc992322d02347d26dfd3eb0594922f068bf9be20bb760ce08a006f64d78781d0c3