Malware Analysis Report

2024-11-15 06:02

Sample ID 240927-dzfp5swbrb
Target launcher.exe
SHA256 0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6
Tags
rhadamanthys discovery execution stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6

Threat Level: Known bad

The file launcher.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery execution stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 03:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 03:26

Reported

2024-09-27 03:29

Platform

win7-20240708-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\launcher.exe

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 03:26

Reported

2024-09-27 03:29

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 928 created 2580 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe
PID 1068 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe
PID 1068 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe
PID 928 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\SysWOW64\openwith.exe
PID 928 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\SysWOW64\openwith.exe
PID 928 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\SysWOW64\openwith.exe
PID 928 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\SysWOW64\openwith.exe
PID 928 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe"

C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe

C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/528-1-0x00007FFB5CC93000-0x00007FFB5CC95000-memory.dmp

memory/528-11-0x000002194E290000-0x000002194E2B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzy5gt5k.b45.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/528-12-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

memory/528-13-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

memory/528-16-0x00007FFB5CC90000-0x00007FFB5D751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aok7KqYbBf.exe

MD5 ec96e65299b7639d4aa60dd315acad80
SHA1 7196b8eb744f769810b390c02371872d11c33bbd
SHA256 c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529
SHA512 db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883

memory/928-21-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/928-23-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/928-26-0x0000000003630000-0x0000000003A30000-memory.dmp

memory/928-27-0x0000000003630000-0x0000000003A30000-memory.dmp

memory/928-28-0x00007FFB7B070000-0x00007FFB7B265000-memory.dmp

memory/928-30-0x0000000075CC0000-0x0000000075ED5000-memory.dmp

memory/220-31-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

memory/928-33-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/220-34-0x0000000002AD0000-0x0000000002ED0000-memory.dmp

memory/220-37-0x0000000075CC0000-0x0000000075ED5000-memory.dmp

memory/220-35-0x00007FFB7B070000-0x00007FFB7B265000-memory.dmp