Malware Analysis Report

2024-11-13 13:53

Sample ID 240915-pv7tlsvdmr
Target 699b82c9536a8f8718d686cd4b13027f.exe
SHA256 f6289c816a6e59b7eabd07f97a32ac92f98ba35408a1408897c0271570dd16e2
Tags
rhadamanthys discovery evasion execution persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6289c816a6e59b7eabd07f97a32ac92f98ba35408a1408897c0271570dd16e2

Threat Level: Known bad

The file 699b82c9536a8f8718d686cd4b13027f.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery evasion execution persistence stealer

Rhadamanthys family

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-15 12:40

Signatures

Rhadamanthys family

rhadamanthys

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 264 created 1132 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\Explorer.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2196 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2196 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2196 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2196 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 2196 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 2196 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 2196 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 2932 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2932 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2932 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe

"C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe"

C:\Users\Admin\AppData\Roaming\sdfgt.exe

"C:\Users\Admin\AppData\Roaming\sdfgt.exe"

C:\Users\Admin\AppData\Roaming\withrobot.exe

"C:\Users\Admin\AppData\Roaming\withrobot.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RuntimeBroker"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RuntimeBroker" binpath= "C:\ProgramData\RuntimeBroker.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

N/A

Files

memory/2196-9-0x00000000038A0000-0x000000000391E000-memory.dmp

memory/264-12-0x0000000001290000-0x000000000130E000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdfgt.exe

MD5 b8bf5beebfa1cf685e813973902bdf25
SHA1 55ca38cfb317da1926f39fa82ceb6c5b9a43b0b0
SHA256 741b85f17765f4f17c342195642a39a34c8274c01e436b97b4e9294538310fd4
SHA512 bef7e644150163450a8fdb1dce5123bab73942794a6b247c93a09b5e7e30d6f18c35607466ced2a6cb56a66cc5ffa3595e8e77d6e09a22eeb492eddd7729fc6f

memory/2196-10-0x00000000038A0000-0x000000000391E000-memory.dmp

\Users\Admin\AppData\Roaming\withrobot.exe

MD5 02071fe1b9c8d6ade8dafa0a71600503
SHA1 5b547e72386e43c291bceea5b7d0e8f51469cd3c
SHA256 00c32e90c14f9c866a30256c8499e753397c7385e4a3fbcdc86515b9ee563faf
SHA512 1c4b1c1cb788f08dea954b795d4e0bbd7c028aa5655ce23af805243d06d1c96ef687b0788343182c1d0307e9c76088e4d53e4506e5a4f8d1707001e6549b487a

memory/264-25-0x0000000000760000-0x0000000000B60000-memory.dmp

memory/264-27-0x0000000076E10000-0x0000000076F20000-memory.dmp

memory/264-28-0x0000000076DC0000-0x0000000076E07000-memory.dmp

memory/2804-32-0x0000000001DE0000-0x00000000021E0000-memory.dmp

memory/264-26-0x00000000775E0000-0x0000000077789000-memory.dmp

memory/264-30-0x0000000001290000-0x000000000130E000-memory.dmp

memory/2804-29-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2804-35-0x0000000076DC0000-0x0000000076E07000-memory.dmp

memory/2804-33-0x00000000775E0000-0x0000000077789000-memory.dmp

memory/264-24-0x0000000000760000-0x0000000000B60000-memory.dmp

memory/3032-38-0x0000000077790000-0x0000000077792000-memory.dmp

memory/3032-36-0x0000000077790000-0x0000000077792000-memory.dmp

memory/3032-40-0x0000000077790000-0x0000000077792000-memory.dmp

memory/3032-41-0x000000013F240000-0x0000000140E98000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2680-48-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2680-49-0x0000000001E50000-0x0000000001E58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:42

Platform

win10v2004-20240910-en

Max time kernel

94s

Max time network

123s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 208 created 2540 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2204 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2204 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 2204 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 2204 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 208 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 208 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 208 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 208 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 208 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 860 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 860 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe

"C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe"

C:\Users\Admin\AppData\Roaming\sdfgt.exe

"C:\Users\Admin\AppData\Roaming\sdfgt.exe"

C:\Users\Admin\AppData\Roaming\withrobot.exe

"C:\Users\Admin\AppData\Roaming\withrobot.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RuntimeBroker"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RuntimeBroker" binpath= "C:\ProgramData\RuntimeBroker.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\sdfgt.exe

MD5 b8bf5beebfa1cf685e813973902bdf25
SHA1 55ca38cfb317da1926f39fa82ceb6c5b9a43b0b0
SHA256 741b85f17765f4f17c342195642a39a34c8274c01e436b97b4e9294538310fd4
SHA512 bef7e644150163450a8fdb1dce5123bab73942794a6b247c93a09b5e7e30d6f18c35607466ced2a6cb56a66cc5ffa3595e8e77d6e09a22eeb492eddd7729fc6f

memory/208-60-0x0000000000040000-0x00000000000BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\withrobot.exe

MD5 02071fe1b9c8d6ade8dafa0a71600503
SHA1 5b547e72386e43c291bceea5b7d0e8f51469cd3c
SHA256 00c32e90c14f9c866a30256c8499e753397c7385e4a3fbcdc86515b9ee563faf
SHA512 1c4b1c1cb788f08dea954b795d4e0bbd7c028aa5655ce23af805243d06d1c96ef687b0788343182c1d0307e9c76088e4d53e4506e5a4f8d1707001e6549b487a

memory/208-122-0x0000000003D90000-0x0000000004190000-memory.dmp

memory/208-125-0x0000000003D90000-0x0000000004190000-memory.dmp

memory/208-124-0x00007FFEA9790000-0x00007FFEA9985000-memory.dmp

memory/336-128-0x0000000000D60000-0x0000000000D69000-memory.dmp

memory/208-129-0x0000000000040000-0x00000000000BE000-memory.dmp

memory/208-127-0x00000000767C0000-0x00000000769D5000-memory.dmp

memory/336-132-0x00007FFEA9790000-0x00007FFEA9985000-memory.dmp

memory/336-131-0x0000000002DC0000-0x00000000031C0000-memory.dmp

memory/336-134-0x00000000767C0000-0x00000000769D5000-memory.dmp

memory/208-123-0x0000000003D90000-0x0000000004190000-memory.dmp

memory/716-135-0x00007FF775949000-0x00007FF775FE3000-memory.dmp

memory/716-136-0x00007FFEA9990000-0x00007FFEA9992000-memory.dmp

memory/716-137-0x00007FF775260000-0x00007FF776EB8000-memory.dmp

memory/716-139-0x00007FF775949000-0x00007FF775FE3000-memory.dmp

memory/1232-140-0x00000214221F0000-0x0000021422212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imrakmjl.lde.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/716-153-0x00007FF775949000-0x00007FF775FE3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:40

Platform

win7-20240903-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:40

Platform

win10v2004-20240802-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:40

Platform

win7-20240903-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-15 12:40

Reported

2024-09-15 12:40

Platform

win10v2004-20240802-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A