Analysis

  • max time kernel
    93s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 07:29

General

  • Target

    ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe

  • Size

    3.9MB

  • MD5

    46cf6b1946429c912fe569ce4b5e8a10

  • SHA1

    d7e0240a1a4d021800ccc9ace9fdb310ffa63052

  • SHA256

    ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

  • SHA512

    29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf

  • SSDEEP

    98304:sfUbmfIe1hxCTvblT3gbG3WfaWLUMxSZNOWfhL:sfUyzSTBgyGslhL

Malware Config

Extracted

Family

rhadamanthys

C2

https://89.117.152.231:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2664
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4424
    • C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
      "C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\Temp\{28063A81-DF73-4141-B668-DCF7B10FCACF}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
        "C:\Windows\Temp\{28063A81-DF73-4141-B668-DCF7B10FCACF}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\pythonw.exe
          "C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\pythonw.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
            C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3616
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3868
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bfc6c227

      Filesize

      1.1MB

      MD5

      4d73e800509a4a8df0e4d9ad66555f0d

      SHA1

      ba76a16f79dcc097320b486a6fbb198aa21f1a79

      SHA256

      7c89585237bd72df910fc07354f941dd36a9a2163120f4ff8cd8f75189a72287

      SHA512

      54fcbd3bbc349a4d3197ef4956a016d579648927885820e6e6879ebc114aea4f1c76101a0021284d65dba259a03b4e10860c268e22c189d039bda933799c2127

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\Jetsam.dll

      Filesize

      1.1MB

      MD5

      75b33115ef399463ee76b3421add1ea1

      SHA1

      1661b9acf1da0aca0c53fee71e5b2394c7c3320d

      SHA256

      97b3113d73a62755cd99fac73eadb311d1204e6ec1034a85a585955e202e1132

      SHA512

      fe86854113de67844fd92904ec8d9468f031ea40bbfd38df79d63ce53bc6e95a0ab5f444b4b85cd9a3c2ac264552366ef7148a8b30a09e8c1b95eb949061ddfc

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\dvanamu

      Filesize

      953KB

      MD5

      e238ccd9fd17fb0007b0b033fcfdad41

      SHA1

      67f3a4e518be8cc306242f584197deac8cf12534

      SHA256

      e6275bb0a6bb6fe4eb16d10dc91494535577689d68ff9301ef8471a4277dc552

      SHA512

      fa439bcbb6956bba23cd702167ea2981dc63d7da1287b64ae8fa39606c1ade752a7e04377325d93a2b76e9c7bf4804e5c739a184fef7e906bcd98f8160436d5c

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\python310.dll

      Filesize

      4.3MB

      MD5

      c67e805577c808d1b2e63bcc875a6e0c

      SHA1

      04405071881e4d7b9dae6a8e4f5cb94a69354ecd

      SHA256

      c1d822a1cd0d204d782d5d5627875608a5acb2008fbfd2346af4f63243e87a40

      SHA512

      c17febfe45642bb125b1a80a9e2447b25152ce32034b46d1e8dfa74396e51e3c83fb3f844a3814138b308131292884a104afbc5a2262816bd682d6beca142599

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\pythonw.exe

      Filesize

      94KB

      MD5

      9a4cc0d8e7007f7ef20ca585324e0739

      SHA1

      f3e5a2e477cac4bab85940a2158eed78f2d74441

      SHA256

      040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

      SHA512

      54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\tdn

      Filesize

      83KB

      MD5

      8ca8f54b226bfcfa9c2c965c25247a45

      SHA1

      cb7950efc08e1bc279afb92a8a2173782f34deea

      SHA256

      a9ccf11b8f6bcedff1b7d4eea4d4b2122f7e5ecac119617d0596b92c4ed5aeeb

      SHA512

      d386e769d2a00b3344574e6a251c360d3ec8aa6d7747be19e34deeb57fcb440b24c4fe8b3c0fdc84c99fa4c6e32eb87f4d06ee756fc4e578ca1c9fc32a2e2dbe

    • C:\Windows\Temp\{1356800F-6F78-4605-BFD0-5A1F47C65107}\.ba\vcruntime140.dll

      Filesize

      106KB

      MD5

      49c96cecda5c6c660a107d378fdfc3d4

      SHA1

      00149b7a66723e3f0310f139489fe172f818ca8e

      SHA256

      69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

      SHA512

      e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

    • C:\Windows\Temp\{28063A81-DF73-4141-B668-DCF7B10FCACF}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe

      Filesize

      3.9MB

      MD5

      46cf6b1946429c912fe569ce4b5e8a10

      SHA1

      d7e0240a1a4d021800ccc9ace9fdb310ffa63052

      SHA256

      ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

      SHA512

      29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf

    • memory/684-52-0x0000000075BF0000-0x0000000075E05000-memory.dmp

      Filesize

      2.1MB

    • memory/684-46-0x0000000000BD0000-0x0000000000C50000-memory.dmp

      Filesize

      512KB

    • memory/684-55-0x0000000000BD0000-0x0000000000C50000-memory.dmp

      Filesize

      512KB

    • memory/684-49-0x0000000004000000-0x0000000004400000-memory.dmp

      Filesize

      4.0MB

    • memory/684-48-0x0000000004000000-0x0000000004400000-memory.dmp

      Filesize

      4.0MB

    • memory/684-44-0x0000000000BD0000-0x0000000000C50000-memory.dmp

      Filesize

      512KB

    • memory/684-45-0x00007FFACEFB0000-0x00007FFACF1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/2368-22-0x00007FFAC0020000-0x00007FFAC0192000-memory.dmp

      Filesize

      1.4MB

    • memory/3616-38-0x00007FFAC0020000-0x00007FFAC0192000-memory.dmp

      Filesize

      1.4MB

    • memory/3616-37-0x00007FFAC0020000-0x00007FFAC0192000-memory.dmp

      Filesize

      1.4MB

    • memory/3868-42-0x0000000074F10000-0x000000007508B000-memory.dmp

      Filesize

      1.5MB

    • memory/3868-41-0x00007FFACEFB0000-0x00007FFACF1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/4424-53-0x0000000000F30000-0x0000000000F39000-memory.dmp

      Filesize

      36KB

    • memory/4424-57-0x0000000002D60000-0x0000000003160000-memory.dmp

      Filesize

      4.0MB

    • memory/4424-58-0x00007FFACEFB0000-0x00007FFACF1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/4424-60-0x0000000075BF0000-0x0000000075E05000-memory.dmp

      Filesize

      2.1MB