Malware Analysis Report

2024-11-15 06:02

Sample ID 240926-tfh9xsyepa
Target launcher.exe
SHA256 0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6
Tags
rhadamanthys discovery execution stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6

Threat Level: Known bad

The file launcher.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery execution stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 16:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 15:59

Reported

2024-09-26 16:00

Platform

win11-20240802-en

Max time kernel

10s

Max time network

10s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1844 created 3028 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
PID 3420 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
PID 3420 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
PID 1844 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\SysWOW64\openwith.exe
PID 1844 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\SysWOW64\openwith.exe
PID 1844 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\SysWOW64\openwith.exe
PID 1844 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\SysWOW64\openwith.exe
PID 1844 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe"

C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe

C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp

Files

memory/4912-1-0x00007FFC7A1B3000-0x00007FFC7A1B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfofxboo.pfs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4912-10-0x00000194611C0000-0x00000194611E2000-memory.dmp

memory/4912-11-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp

memory/4912-12-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp

memory/4912-13-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp

memory/4912-16-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe

MD5 ec96e65299b7639d4aa60dd315acad80
SHA1 7196b8eb744f769810b390c02371872d11c33bbd
SHA256 c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529
SHA512 db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883

memory/1844-22-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/1844-23-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/1844-26-0x0000000003730000-0x0000000003B30000-memory.dmp

memory/1844-27-0x0000000003730000-0x0000000003B30000-memory.dmp

memory/1844-28-0x00007FFC9B000000-0x00007FFC9B209000-memory.dmp

memory/1844-30-0x0000000075F50000-0x00000000761A2000-memory.dmp

memory/2252-31-0x0000000000D90000-0x0000000000D99000-memory.dmp

memory/2252-34-0x0000000002D90000-0x0000000003190000-memory.dmp

memory/1844-33-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/2252-35-0x00007FFC9B000000-0x00007FFC9B209000-memory.dmp

memory/2252-37-0x0000000075F50000-0x00000000761A2000-memory.dmp