Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
Portable.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Portable.exe
Resource
win10v2004-20240802-en
General
-
Target
Portable.exe
-
Size
47.5MB
-
MD5
7914276bc13829ece91fb33f038a2344
-
SHA1
e849ac762ff282d46966ba651bb1a50b570dac43
-
SHA256
7c4e153855d42e10e3635b40f6471246624a3492a4c07170443a7fa9131eac33
-
SHA512
184a6831dd66c7fe4444c5515dd702bab3cf3743fec7d2953f3f5d5387f18a5a3915290013500d74076d61b45817dc5c9b806598e13971c5f71596c5a8496002
-
SSDEEP
786432:uCDyg3W4TaEhG4fsl6ny34lzK/szLPlwXu4Sk/f9VJxVNeKtmUVQ8E+5M5+bwMzk:uCWcaEhG4fsEnyIE/2LqXOk/f9VdIEm/
Malware Config
Extracted
rhadamanthys
https://185.161.251.6:5545/03a8d04906e4d03e0d308acd/homicide
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4468 created 2808 4468 Portable.exe 50 -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 4468 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Portable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4468 Portable.exe 4468 Portable.exe 1760 openwith.exe 1760 openwith.exe 1760 openwith.exe 1760 openwith.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1760 4468 Portable.exe 96 PID 4468 wrote to memory of 1760 4468 Portable.exe 96 PID 4468 wrote to memory of 1760 4468 Portable.exe 96 PID 4468 wrote to memory of 1760 4468 Portable.exe 96 PID 4468 wrote to memory of 1760 4468 Portable.exe 96
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2808
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\Portable.exe"C:\Users\Admin\AppData\Local\Temp\Portable.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6642⤵
- Program crash
PID:2884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4468 -ip 44681⤵PID:1808
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2776