Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe
Resource
win10v2004-20240802-en
General
-
Target
4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe
-
Size
5.5MB
-
MD5
aa8e8c3357b85d7fd70a8be957565eb0
-
SHA1
e4c316308d13eb6526159d9f6c47fcbbd76abe23
-
SHA256
4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994a
-
SHA512
a2253dd97f28fd14a8de9f1d6e9acb731707e0af7dd62760d66cd39fe9c7b5ae7177fd8ba06d8a5e48be4dda3938840c2e3abe22ac52b2a4c2f3c7c944b5f249
-
SSDEEP
98304:L6WUz+vUp6vdQDFUJ0t3an8NEaC+H89yM1dXLoarPDgIFZoP7cJcL4BM2s7DLubu:eWNcp6vdODt3a8OaC+H7YFPfDZoPgOL9
Malware Config
Extracted
rhadamanthys
https://95.216.91.91:1614/a184ab61761639/o7mcufhd.54f7i
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2656 created 1236 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 2692 dialer.exe 2692 dialer.exe 2692 dialer.exe 2692 dialer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30 PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30 PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30 PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30 PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30 PID 2656 wrote to memory of 2692 2656 4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe"C:\Users\Admin\AppData\Local\Temp\4ac85f0efb434a89240a3c978f564e827976fdf0da14cbb5af9cdc931ab8994aN.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2692
-