Overview

overview

10

Static

static

3

Bootstrapp...19.exe

windows7-x64

8

Bootstrapp...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper_V1.19.exe

  • Size

    796KB

  • MD5

    4d58b02c2a252bc3c9b0e400d0d38c34

  • SHA1

    749059703b6333bde494a43c33fa2cf2a4ff8026

  • SHA256

    b6f869f85169eb84ad25aa08d9844a18d8febee43f05f4b3dffb539ec2b7f1b1

  • SHA512

    ea00a0670f7b4381ec43449ded50be7bda58496fcb59b5ba87e22c3b9d5b85b5d4df457c4b4e6c1d38016f9c10d1c8869e9dd4b498f814feacb40d398e2aaed4

  • SSDEEP

    3072:OhMQmmCyYwC+M2FEv80IZOAcXAEJuh9hCyYwC+M2FEv80IZOAD80IZOAB:zmhY7X2Kvh9qhhY7X2KvhEh

Score
10/10
rhadamanthysdiscoveryexecutionstealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://135.181.4.162:2423/97e9fc994198e76/02dgpgfn.5rkt4

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2876
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:804
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.19.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_V1.19.exe"
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3840
      • C:\SGDT\executable.exe
        "C:\SGDT\executable.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\SGDT\executable.exe
      Filesize

      423KB

      MD5

      844b868dabe70a2748c5f86c327e9391

      SHA1

      1d5ec1aa30faef047cda55d09b528046f275b9ff

      SHA256

      c339bc88c7ecc7c7d099e8457e16a7094fc2243e68ec30041d048b4f97b224c1

      SHA512

      92d93457a93969dbe3b8fcfb120be7cec97fc38646aa5b08b926ed2c909f3872ed00ff27f0b8423e7ad1d8dedb72511893504e8a6658cd9c35de0ce7c9151859

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      3da1b0dca9916d14500e7eec64b33254

      SHA1

      6dcb64f9be0c738c54b976af947c7453ec2368b1

      SHA256

      b56a78e0f8313ebf1d8834e8c202cc6d5a6a4ff6efa59064361b6d8cd5cbf810

      SHA512

      ce0990df14c00dba27ec41f21c903081ef59c238874a2e4e4031415cab13a63270240b7cf0d396ead6c38e16c2476b899e03f20436eba48c2d8a7e9180e8d8f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      15f8c728f19b75cd3f1ad247f2315987

      SHA1

      42e498e2266194253f7b102b5a1db9b45f11a107

      SHA256

      beab714b03c514892569da28d570a59fc4b4dd6940002ed739e95e1d9bd24c4d

      SHA512

      77b5279fb3f3a8e9eb0c7b751279dbd0100c8551d63f5e0064051bbbeccc2bb756b528e0cea5f14218d6b9e14a8fa54e91d10550d3edf95b5658ef8e5d16611d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdmnlzke.12i.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/804-129-0x00000000756F0000-0x0000000075905000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/804-127-0x00007FFEBB870000-0x00007FFEBBA65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/804-126-0x0000000002810000-0x0000000002C10000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/804-123-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3628-85-0x0000000007130000-0x000000000714A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3628-73-0x0000000007040000-0x00000000070E3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3628-50-0x00000000062A0000-0x00000000062EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3628-94-0x0000000007450000-0x0000000007458000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3628-93-0x0000000007470000-0x000000000748A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3628-49-0x0000000005E00000-0x0000000005E1E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3628-87-0x00000000073B0000-0x0000000007446000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3628-63-0x000000006B8D0000-0x000000006B91C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3628-84-0x0000000007770000-0x0000000007DEA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3840-17-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3840-10-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3840-25-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3840-102-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3840-74-0x000000006B8D0000-0x000000006B91C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3840-14-0x00000000050D0000-0x00000000050F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3840-11-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4112-13-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4112-62-0x0000000006E00000-0x0000000006E1E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4112-52-0x000000006B8D0000-0x000000006B91C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4112-51-0x0000000007800000-0x0000000007832000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4112-48-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4112-18-0x0000000006280000-0x00000000065D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4112-19-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4112-15-0x0000000005920000-0x0000000005986000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4112-86-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4112-16-0x0000000005990000-0x00000000059F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4112-88-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4112-91-0x0000000007D80000-0x0000000007D8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4112-92-0x0000000007D90000-0x0000000007DA4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4112-103-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4112-12-0x0000000005B50000-0x0000000006178000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4704-9-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4704-4-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4704-7-0x000000007441E000-0x000000007441F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4704-0-0x000000007441E000-0x000000007441F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4704-5-0x0000000009A70000-0x0000000009AA8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/4704-6-0x0000000009A40000-0x0000000009A4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4704-1-0x00000000005E0000-0x00000000006AC000-memory.dmp

      Filesize

      816KB

      Download

    • memory/4704-8-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4704-2-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4704-3-0x00000000099F0000-0x00000000099F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5068-118-0x0000000003B30000-0x0000000003F30000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5068-122-0x00000000756F0000-0x0000000075905000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/5068-124-0x0000000000270000-0x00000000002EE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/5068-120-0x00007FFEBB870000-0x00007FFEBBA65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5068-119-0x0000000003B30000-0x0000000003F30000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5068-116-0x0000000000270000-0x00000000002EE000-memory.dmp

      Filesize

      504KB

      Download