Malware Analysis Report

2024-11-30 02:25

Sample ID 241016-g5f5ms1ejq
Target c4542f600e2883dd58d8dc6753f40945.exe
SHA256 7a83b820d1dc7794788ac1ce4f9165d2ba29fe33bf743d8316391244044e8d2d
Tags
rhadamanthys discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a83b820d1dc7794788ac1ce4f9165d2ba29fe33bf743d8316391244044e8d2d

Threat Level: Known bad

The file c4542f600e2883dd58d8dc6753f40945.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:23

Reported

2024-10-16 06:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4968 created 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Explorer.EXE
PID 4484 created 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4968 set thread context of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe
PID 4460 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe
PID 4460 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4484 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 4484 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 4484 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 4484 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 4484 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe

"C:\Users\Admin\AppData\Local\Temp\c4542f600e2883dd58d8dc6753f40945.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 472

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
MD 37.221.67.152:80 37.221.67.152 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 152.67.221.37.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guessarea.exe

MD5 0f7f63fdb872be881d1088eee5cd22c7
SHA1 654acfefc81e39c1e50b80ce373ca1d06e8689ac
SHA256 8545c341fcc58c11a211404fcbe2d680d84be3229ef9b30e65f4bddba2638a10
SHA512 981341004600896b7605365ac73516b20bf0f75c6faccdb2f042a2b8f1f74ca36fbe8cb84dd05eab61b66a80e899c999cd446a451e1b33d5389e3af43479df21

memory/4968-5-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4968-6-0x0000000000CB0000-0x0000000001438000-memory.dmp

memory/4968-7-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4968-8-0x0000000006630000-0x000000000674E000-memory.dmp

memory/4968-16-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-72-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-70-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-68-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-66-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-64-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-62-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-61-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-58-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-54-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-52-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-48-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-46-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-56-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-44-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-50-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-42-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-38-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-36-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-34-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-32-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-28-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-26-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-24-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-22-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-20-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-18-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-14-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-40-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-12-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-30-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-10-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-9-0x0000000006630000-0x0000000006748000-memory.dmp

memory/4968-1083-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4968-1084-0x0000000006870000-0x0000000006908000-memory.dmp

memory/4968-1085-0x0000000006910000-0x000000000695C000-memory.dmp

memory/4968-1089-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4968-1090-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4968-1091-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4968-1092-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4968-1093-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/4968-1094-0x0000000006C90000-0x0000000006CE4000-memory.dmp

memory/4968-1105-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4484-1107-0x0000000000800000-0x000000000087E000-memory.dmp

memory/4484-1108-0x0000000003540000-0x0000000003940000-memory.dmp

memory/4484-1111-0x0000000003540000-0x0000000003940000-memory.dmp

memory/440-1117-0x0000000002900000-0x0000000002D00000-memory.dmp

memory/440-1120-0x0000000002900000-0x0000000002D00000-memory.dmp

memory/440-1122-0x0000000002900000-0x0000000002D00000-memory.dmp

memory/4484-1123-0x0000000003540000-0x0000000003940000-memory.dmp