Overview

overview

10

Static

static

3

Driver_x32.exe

windows7-x64

4

Driver_x32.exe

windows10-2004-x64

4

Installer-...ng.msi

windows7-x64

7

Installer-...ng.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer-master-BlackMythWukong.msi

  • Size

    43.8MB

  • MD5

    4cbea3318f7107adb73e10fd8de96abf

  • SHA1

    c6db50f856e92e5b0fa2f4b3855cbd58aa408fc1

  • SHA256

    395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4

  • SHA512

    724291101a4859c8e700ff762e48f6e2ded60fed23bfd64be7c438552c885b22d35b693ec03c2d234afe60d9defdc39ada77fedd9d3c881710935aa4e4f9b931

  • SSDEEP

    786432:H8JJ5v6bZ0no3r27KIvSOcaVWfoyI4aEK0Gpqq++mFIjqEKrdLi9VMkryQs:HC5i10noy7KS/RVLCqpP++mF+gLBf

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2952
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3988
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer-master-BlackMythWukong.msi
      1⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1592
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4744
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding FAC6DE93DEF274B4E41760CB3010EEB7
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:3460
        • C:\Windows\SysWOW64\EXPAND.EXE
          "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:1152
        • C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\files\visapro.exe
          "C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\files\visapro.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4256
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 720
            4⤵
            • Program crash
            PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\files"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3516
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:4752
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4256 -ip 4256
      1⤵
        PID:532

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\files.cab
        Filesize

        43.4MB

        MD5

        9f1ce12a6a16d2755d486fdbd2c0f506

        SHA1

        8082354009566d640b028f1266e0e3bfd2fc333d

        SHA256

        0bd8fb2d6b28c93dcf4c3badffae9041287221a2db276ff872a78221ac1e0f31

        SHA512

        bd8d0308e4504c92f9e59f46bafe90ff278218ad858736e32ade76c9d48ff9db83572d972dbd7f269a2d11913c2b2c0e2b6a2c7f37dc5f27d7be45dc323cdbfb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\files\visapro.exe
        Filesize

        49.6MB

        MD5

        53a23a0592e5aab08e0fa996497337f4

        SHA1

        7c843871ef5debb284915c6c7628d96563e3693e

        SHA256

        d3f7809ae8ccc194787198cc370952ab22a9b74bcae1e249f840c18798205bc1

        SHA512

        d21aaae60d62b2c9a1bf52fa4464cefc777ca81e9122aca8989afcf0676f81e39af8f3df405c4cc3b8c68f8a1bcb94adcb60a718f80d63084bb79323f775d321

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\msiwrapper.ini
        Filesize

        1004B

        MD5

        7a675cf27bb343b98655b7ae27ec5b6c

        SHA1

        f590862dac56c0e05f49aff3cfcb178df638941e

        SHA256

        524dcd3a285f7f4eb622e68a84bf8bcb23c4fea44fc36b99be91c160187f11ac

        SHA512

        8091e3e23ff4918aa7a490f4a906c14f7b95782dbc52f39d60d32c65dd0a23b5c6a3d869aaf9387d50b2448e06034c69dad44f74bb7df08e02a6d09a58443832

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-97802ab5-ecf4-4ef8-a803-bca1e5aa5cfe\msiwrapper.ini
        Filesize

        1KB

        MD5

        e6461c3249b0197b2eba81353ba62b1f

        SHA1

        458ffaa203fcc42524dd8784b99335fc0c720801

        SHA256

        fb80554755798836e14291652746a1c487fdf8a9c71e8a48eaf1026a7f264ea1

        SHA512

        18ed11b948a11cb3cbf7d02f79d3951b6c4d81ad4bcb2884737f97ba713d71eb4e5a145657e83f69eadb60243902cf6f42f67260a69e422197bb371c49f326ea

        Download Submit

      • C:\Windows\Installer\MSIC5F.tmp
        Filesize

        208KB

        MD5

        0c8921bbcc37c6efd34faf44cf3b0cb5

        SHA1

        dcfa71246157edcd09eecaf9d4c5e360b24b3e49

        SHA256

        fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

        SHA512

        ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        9c983ddff25d700e41614929507cfc61

        SHA1

        5e98847c9eaf31e37ca150d5df3dcd5d55a31f94

        SHA256

        e6ca26acc06d650bad96a1ba8b13df0907b597630d902b811e69e4cf010cea35

        SHA512

        497e32b762addd8bed80e5256c9b541a208bf92b28fb31520cbaba1e3f7a00aa3bfa662d52453b56a0d228901ea220e3716eac11e5ec095bfa2f35c2bf421cc6

        Download Submit

      • \??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c76b2626-6e6e-4703-8162-7f3f2db5e662}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        023acc3d20335cdcb73bfd2bdfc1bc1f

        SHA1

        fd3e2496dbe591d2bea793855f54d4a8a80667f2

        SHA256

        0e29dbeb82a8a5b3680081bd24316740da993db19ce12b1eb30bd431f13a7c19

        SHA512

        3504b530ad9591eb1d28dcfe589917c9ce55178262098e0ba4918077191ad526f9e8ff7325f2945a28b901628cbf8f6f6f63284c4e687b699fb0e31efbcb29af

        Download Submit

      • memory/3988-75-0x0000000000640000-0x0000000000649000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3988-77-0x0000000002260000-0x0000000002660000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3988-80-0x0000000077070000-0x0000000077285000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3988-78-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4256-70-0x00000000035B0000-0x00000000039B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4256-71-0x00000000035B0000-0x00000000039B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4256-72-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4256-74-0x0000000077070000-0x0000000077285000-memory.dmp

        Filesize

        2.1MB

        Download