Analysis
-
max time kernel
93s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
SetLoader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SetLoader.exe
Resource
win10v2004-20240802-en
General
-
Target
SetLoader.exe
-
Size
35.9MB
-
MD5
eb142f56ed73c4cce280fc3f3493429a
-
SHA1
e1ce2464864482703abded9cbed4aaabc638a113
-
SHA256
054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72
-
SHA512
75c97a01fe3963939233214093c419fdc3fc561e35e8884ee221e4dced3bab1baa9c4ed2fec6a95517de794728df1eef0e533357b16b719480aa7692910779c2
-
SSDEEP
393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfd:fMguj8Q4VfvPqFTrYC
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
module.exedescription pid process target process PID 3376 created 2920 3376 module.exe sihost.exe -
Executes dropped EXE 1 IoCs
Processes:
module.exepid process 3376 module.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
module.exeopenwith.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
module.exeopenwith.exepid process 3376 module.exe 3376 module.exe 3376 module.exe 3376 module.exe 2904 openwith.exe 2904 openwith.exe 2904 openwith.exe 2904 openwith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SetLoader.execmd.exemodule.exedescription pid process target process PID 5004 wrote to memory of 3992 5004 SetLoader.exe cmd.exe PID 5004 wrote to memory of 3992 5004 SetLoader.exe cmd.exe PID 3992 wrote to memory of 3376 3992 cmd.exe module.exe PID 3992 wrote to memory of 3376 3992 cmd.exe module.exe PID 3992 wrote to memory of 3376 3992 cmd.exe module.exe PID 3376 wrote to memory of 2904 3376 module.exe openwith.exe PID 3376 wrote to memory of 2904 3376 module.exe openwith.exe PID 3376 wrote to memory of 2904 3376 module.exe openwith.exe PID 3376 wrote to memory of 2904 3376 module.exe openwith.exe PID 3376 wrote to memory of 2904 3376 module.exe openwith.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2920
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
C:\Users\Admin\AppData\Local\Temp\SetLoader.exe"C:\Users\Admin\AppData\Local\Temp\SetLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\module.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\module.exeC:\Users\Admin\AppData\Local\Temp\module.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD5850903be8fe94bf6b270c2188af82cca
SHA1e0469de46b7ced7b4de11157d0eff8719ba3dc70
SHA2565e69b0dd5a6cea4b9d9790a0d63e9e25417c6d602f004f5540c951585b15cbec
SHA5125d430c21dab1427400f5750f788076e76fe1d45fd5b79f792ad2cbcf916787312f37d596bc70e4d1d16f01a39275798513beaf8741bc864e113cb4a39d44ee1e