Malware Analysis Report

2024-11-13 13:53

Sample ID 240915-xrhpbaybla
Target 699b82c9536a8f8718d686cd4b13027f.exe
SHA256 f6289c816a6e59b7eabd07f97a32ac92f98ba35408a1408897c0271570dd16e2
Tags
rhadamanthys discovery evasion execution persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6289c816a6e59b7eabd07f97a32ac92f98ba35408a1408897c0271570dd16e2

Threat Level: Known bad

The file 699b82c9536a8f8718d686cd4b13027f.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery evasion execution persistence stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Rhadamanthys family

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-15 19:05

Signatures

Rhadamanthys family

rhadamanthys

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:05

Platform

win7-20240903-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:05

Platform

win10v2004-20240802-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:05

Platform

win7-20240708-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:05

Platform

win10v2004-20240802-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:07

Platform

win7-20240704-en

Max time kernel

121s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1240 created 1188 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\Explorer.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 1976 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 1976 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 1976 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 1976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 1976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 1976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 1976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\dialer.exe
PID 1736 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1736 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1736 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe

"C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe"

C:\Users\Admin\AppData\Roaming\sdfgt.exe

"C:\Users\Admin\AppData\Roaming\sdfgt.exe"

C:\Users\Admin\AppData\Roaming\withrobot.exe

"C:\Users\Admin\AppData\Roaming\withrobot.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RuntimeBroker"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RuntimeBroker" binpath= "C:\ProgramData\RuntimeBroker.exe" start= "auto"

Network

N/A

Files

\Users\Admin\AppData\Roaming\sdfgt.exe

MD5 b8bf5beebfa1cf685e813973902bdf25
SHA1 55ca38cfb317da1926f39fa82ceb6c5b9a43b0b0
SHA256 741b85f17765f4f17c342195642a39a34c8274c01e436b97b4e9294538310fd4
SHA512 bef7e644150163450a8fdb1dce5123bab73942794a6b247c93a09b5e7e30d6f18c35607466ced2a6cb56a66cc5ffa3595e8e77d6e09a22eeb492eddd7729fc6f

memory/1976-10-0x00000000039C0000-0x0000000003A3E000-memory.dmp

memory/1976-9-0x00000000039C0000-0x0000000003A3E000-memory.dmp

memory/1240-12-0x0000000000810000-0x000000000088E000-memory.dmp

\Users\Admin\AppData\Roaming\withrobot.exe

MD5 02071fe1b9c8d6ade8dafa0a71600503
SHA1 5b547e72386e43c291bceea5b7d0e8f51469cd3c
SHA256 00c32e90c14f9c866a30256c8499e753397c7385e4a3fbcdc86515b9ee563faf
SHA512 1c4b1c1cb788f08dea954b795d4e0bbd7c028aa5655ce23af805243d06d1c96ef687b0788343182c1d0307e9c76088e4d53e4506e5a4f8d1707001e6549b487a

memory/1240-23-0x0000000002EA0000-0x00000000032A0000-memory.dmp

memory/1240-30-0x0000000000810000-0x000000000088E000-memory.dmp

memory/2876-29-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2876-35-0x00000000768F0000-0x0000000076937000-memory.dmp

memory/2876-33-0x0000000077A80000-0x0000000077C29000-memory.dmp

memory/2876-32-0x0000000001CC0000-0x00000000020C0000-memory.dmp

memory/1240-28-0x00000000768F0000-0x0000000076937000-memory.dmp

memory/1240-27-0x0000000077310000-0x0000000077420000-memory.dmp

memory/1240-26-0x0000000077A80000-0x0000000077C29000-memory.dmp

memory/1240-24-0x0000000002EA0000-0x00000000032A0000-memory.dmp

memory/3020-38-0x0000000077C30000-0x0000000077C32000-memory.dmp

memory/3020-36-0x0000000077C30000-0x0000000077C32000-memory.dmp

memory/3020-40-0x0000000077C30000-0x0000000077C32000-memory.dmp

memory/3020-41-0x000000013FEE0000-0x0000000141B38000-memory.dmp

memory/2776-47-0x000000001B430000-0x000000001B712000-memory.dmp

memory/2776-48-0x0000000002750000-0x0000000002758000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-15 19:05

Reported

2024-09-15 19:07

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1796 created 2508 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sdfgt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\withrobot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 4264 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 4264 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\sdfgt.exe
PID 4264 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 4264 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe C:\Users\Admin\AppData\Roaming\withrobot.exe
PID 1796 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 1796 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 1796 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 1796 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 1796 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\sdfgt.exe C:\Windows\SysWOW64\openwith.exe
PID 736 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 736 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe

"C:\Users\Admin\AppData\Local\Temp\699b82c9536a8f8718d686cd4b13027f.exe"

C:\Users\Admin\AppData\Roaming\sdfgt.exe

"C:\Users\Admin\AppData\Roaming\sdfgt.exe"

C:\Users\Admin\AppData\Roaming\withrobot.exe

"C:\Users\Admin\AppData\Roaming\withrobot.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RuntimeBroker"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RuntimeBroker" binpath= "C:\ProgramData\RuntimeBroker.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\sdfgt.exe

MD5 b8bf5beebfa1cf685e813973902bdf25
SHA1 55ca38cfb317da1926f39fa82ceb6c5b9a43b0b0
SHA256 741b85f17765f4f17c342195642a39a34c8274c01e436b97b4e9294538310fd4
SHA512 bef7e644150163450a8fdb1dce5123bab73942794a6b247c93a09b5e7e30d6f18c35607466ced2a6cb56a66cc5ffa3595e8e77d6e09a22eeb492eddd7729fc6f

memory/1796-60-0x0000000000730000-0x00000000007AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\withrobot.exe

MD5 02071fe1b9c8d6ade8dafa0a71600503
SHA1 5b547e72386e43c291bceea5b7d0e8f51469cd3c
SHA256 00c32e90c14f9c866a30256c8499e753397c7385e4a3fbcdc86515b9ee563faf
SHA512 1c4b1c1cb788f08dea954b795d4e0bbd7c028aa5655ce23af805243d06d1c96ef687b0788343182c1d0307e9c76088e4d53e4506e5a4f8d1707001e6549b487a

memory/1796-122-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/1796-124-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/1796-123-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/5060-129-0x0000000000980000-0x0000000000989000-memory.dmp

memory/1796-128-0x0000000076FE0000-0x00000000771F5000-memory.dmp

memory/1796-125-0x00007FFF60E30000-0x00007FFF61025000-memory.dmp

memory/1796-126-0x0000000003C50000-0x0000000004050000-memory.dmp

memory/1796-133-0x0000000000730000-0x00000000007AE000-memory.dmp

memory/1472-132-0x00007FF682409000-0x00007FF682AA3000-memory.dmp

memory/5060-134-0x00007FFF60E30000-0x00007FFF61025000-memory.dmp

memory/5060-131-0x0000000002680000-0x0000000002A80000-memory.dmp

memory/1472-137-0x00007FFF61030000-0x00007FFF61032000-memory.dmp

memory/5060-136-0x0000000076FE0000-0x00000000771F5000-memory.dmp

memory/1472-138-0x00007FF681D20000-0x00007FF683978000-memory.dmp

memory/1472-140-0x00007FF682409000-0x00007FF682AA3000-memory.dmp

memory/4504-141-0x00000179484C0000-0x00000179484E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxonnh0t.vi5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1472-154-0x00007FF682409000-0x00007FF682AA3000-memory.dmp