rhadamanthys | ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
17-10-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4247605d401ed13d7584377852052793.exe
Size

15.1MB
MD5

4247605d401ed13d7584377852052793
SHA1

9456200c2cc28957491a3e9709acbe6fb834a687
SHA256

ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a
SHA512

8a1aa03b57ed8778fa1ae9d449dfd34fc514dd38bdccad39c0095540ff745fbb784b35061c8d9d214054ad5004dbde31430395fc1d9d1c1ac52c19cfb52bf3a2
SSDEEP

393216:Vn8IgucBc26M/Rovs1B7I5RmPAfAmYKYUC0sdeC:58ju8c26MZo26FrYdhYC

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4448 created 2872	4448	s-etup.exe	49

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F35FD2B58CEAAC0D48B00914094C5D6C3E3E2164\Blob = 030000000100000014000000f35fd2b58ceaac0d48b00914094c5d6c3e3e21642000000001000000de060000308206da30820542a00302010202103e94afbaa7fddde1a3f9cb164bef725a300d06092a864886f70d01010b05003057310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312e302c060355040313255365637469676f205075626c696320436f6465205369676e696e6720434120455620523336301e170d3233303832343030303030305a170d3236303832333233353935395a30819a311a301806035504051311383133203632332037333320303030333331133011060b2b0601040182373c02010313024652311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b30090603550406130246523111300f06035504080c084272657461676e6531133011060355040a0c0a506f7765722d757365723113301106035504030c0a506f7765722d7573657230820222300d06092a864886f70d01010105000382020f003082020a0282020100cae1440dedfea9629f012d3e0f2380016585bece7940f2af8c91297d7c788ffc2d103676f377b856d80d89dfb0de959837cfb2cba3f60f0d4d27ade4b42038551fc3225a4565012cd6b7f7c719bf43cb123990fe0ac2b910e657baa30736696fc0e98f534c1183b7b4acec8d9426bf21f22f703fade6d133db5398c0e12f9046d820fcf2bfdddfb7de3a75b156d0a3f6fed4dcaeb20cdef8c3a27d1445a60901f51adc6ad37242cedcee7bcfb1796631f54dff0024e1105f406e95fd77c51a9fb77b5ce8db11414acaebf0b26193c6f4ca1addae9ef334a603d9f392075dfb8c5f9bb86f9f14440768aae8fe5206cfa1db1546faf192e85af1f60e0954d7661cd58e87a5e3e68e592d0876f64ee27597cc87d5da265c05239b8ed9b1977da7cc1553776acd35e52635e29c92423e5cf32069669c481be5d5ba6d016e7ee132b7a458e14c81e3604c4184c88db4266a40be67f3f62c8fc4a5d521c04cd193d07147bcd67d3b8de77e2586fa1fed555cbd73bf82792612efe2e0a79d2080e9c65749889f6248eae338651f7468d16e23c6ff7a4375cf490a79e845877308eb9d35270246ad3d125f07365cdf31f0bf029d0532e40526657b0f437b9cf5925dd6a23d0c1bcb708bfe2b7ac211f4e7409277e3624eb441bd118eac17d71adede2fcd20909e76f17f8b4002d8dfcb32fa01f4146bcaf43a002bb0796d1d45ff8256f90203010001a38201dc308201d8301f0603551d23041830168014813292412b28cd46c8c4a2c62a3912ec48a93f14301d0603551d0e04160414bf78f22103150a78fa27cb52096ece4e39ba23d6300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b0601050507030330490603551d20044230403035060c2b06010401b23101020106013025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533007060567810c0103304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d304e0603551d1104473045a02406082b06010505070803a01830160c1446522d3831332036323320373333203030303333811d6f6c697669657240706f77657275736572736f6674776172652e636f6d300d06092a864886f70d01010b0500038201810004942aaf9b3ebb785e8cf63d72b07114a2b2f530c66708ffc0e74b59c22921dac58e24084b2ecd9a933b46e914425f9063f1c60814e4fafeeb6d5cbeb2bbc417c3a638c5c193c2cb286aafc10ef6532c1e364b17c65b44e21aa1f2d42e32e64350721e2c3b9adfe73f8f1a7c0ffd17c38e9c5060f36111d6ace67a6c24d6327e3deca05d8a50e64d9068842860e19731d2973fc26fed6f06cdc12afdc5f23d11d5fbd72a3ddb83e20bfeaafa373bde823db17a2c9f79dc5bb7f6991aeea8f3d97a85e84a83ea8f1f7dc66819f5312268bf0f9748f6e789ba0ce4d133d35e14879f23e6c02bf6a4003d6879d219a2d34074dd953bb824c685ce834e475b74a8dfa03f1f563892b8e31a410c8f045fbeef884d8a8f4f04413dc2408c3702496dc4f4ba1415e09022da7a7544ffe96324cab03356ba9740552f8a4b0d94621d8d672b215b90b293c7b3f14525e1ce6c6aa2b6d801474204e683f72488d27ec43a5e54f74a7ea6ba6f9aaf83f94fb4ad45eecfc52ba7331ec7ee5aa7800414085427	certutil.exe

Executes dropped EXE 5 IoCs

pid	Process
2700	7z.exe
4304	s-etup.exe
852	Power-user.exe
3588	Power-user.exe
4448	s-etup.exe

Loads dropped DLL 6 IoCs

pid	Process
2904	4247605d401ed13d7584377852052793.exe
2904	4247605d401ed13d7584377852052793.exe
2700	7z.exe
4304	s-etup.exe
4052	MsiExec.exe
1272	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c8d-28.dat	upx
behavioral2/memory/4304-30-0x00000000000E0000-0x0000000000A67000-memory.dmp	upx
behavioral2/memory/4304-101-0x00000000000E0000-0x0000000000A67000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Power-user Premium\Power-user.exe	4247605d401ed13d7584377852052793.exe
File opened for modification	C:\Program Files (x86)\Power-user Premium\Power-user.exe	4247605d401ed13d7584377852052793.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58486e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4958.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e584870.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58486e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5DB13158-EC76-489E-B122-1AE35DB2CA74}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4024	4448	WerFault.exe	104
4048	4448	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4247605d401ed13d7584377852052793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Power-user.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Power-user.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4448	s-etup.exe
4448	s-etup.exe
3064	openwith.exe
3064	openwith.exe
3064	openwith.exe
3064	openwith.exe
2088	msiexec.exe
2088	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2700	7z.exe
Token: 35	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeShutdownPrivilege	3412	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3412	MSIEXEC.EXE
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeCreateTokenPrivilege	3412	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3412	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3412	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3412	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3412	MSIEXEC.EXE
Token: SeTcbPrivilege	3412	MSIEXEC.EXE
Token: SeSecurityPrivilege	3412	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3412	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3412	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3412	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3412	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3412	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3412	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3412	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3412	MSIEXEC.EXE
Token: SeBackupPrivilege	3412	MSIEXEC.EXE
Token: SeRestorePrivilege	3412	MSIEXEC.EXE
Token: SeShutdownPrivilege	3412	MSIEXEC.EXE
Token: SeDebugPrivilege	3412	MSIEXEC.EXE
Token: SeAuditPrivilege	3412	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3412	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3412	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3412	MSIEXEC.EXE
Token: SeUndockPrivilege	3412	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3412	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3412	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3412	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3412	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3412	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3412	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3412	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3412	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3412	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3412	MSIEXEC.EXE
Token: SeTcbPrivilege	3412	MSIEXEC.EXE
Token: SeSecurityPrivilege	3412	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3412	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3412	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3412	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3412	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3412	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3412	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3412	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3412	MSIEXEC.EXE
Token: SeBackupPrivilege	3412	MSIEXEC.EXE
Token: SeRestorePrivilege	3412	MSIEXEC.EXE
Token: SeShutdownPrivilege	3412	MSIEXEC.EXE
Token: SeDebugPrivilege	3412	MSIEXEC.EXE
Token: SeAuditPrivilege	3412	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3412	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3412	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3412	MSIEXEC.EXE
Token: SeUndockPrivilege	3412	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3412	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3412	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3412	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3412	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3412	MSIEXEC.EXE
3412	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2700	2904	4247605d401ed13d7584377852052793.exe	87
PID 2904 wrote to memory of 2700	2904	4247605d401ed13d7584377852052793.exe	87
PID 2904 wrote to memory of 4304	2904	4247605d401ed13d7584377852052793.exe	93
PID 2904 wrote to memory of 4304	2904	4247605d401ed13d7584377852052793.exe	93
PID 2904 wrote to memory of 4304	2904	4247605d401ed13d7584377852052793.exe	93
PID 2904 wrote to memory of 852	2904	4247605d401ed13d7584377852052793.exe	94
PID 2904 wrote to memory of 852	2904	4247605d401ed13d7584377852052793.exe	94
PID 2904 wrote to memory of 852	2904	4247605d401ed13d7584377852052793.exe	94
PID 852 wrote to memory of 3588	852	Power-user.exe	95
PID 852 wrote to memory of 3588	852	Power-user.exe	95
PID 852 wrote to memory of 3588	852	Power-user.exe	95
PID 3588 wrote to memory of 3412	3588	Power-user.exe	98
PID 3588 wrote to memory of 3412	3588	Power-user.exe	98
PID 3588 wrote to memory of 3412	3588	Power-user.exe	98
PID 2088 wrote to memory of 4052	2088	msiexec.exe	101
PID 2088 wrote to memory of 4052	2088	msiexec.exe	101
PID 2088 wrote to memory of 4052	2088	msiexec.exe	101
PID 4304 wrote to memory of 4448	4304	s-etup.exe	104
PID 4304 wrote to memory of 4448	4304	s-etup.exe	104
PID 4304 wrote to memory of 4448	4304	s-etup.exe	104
PID 4304 wrote to memory of 4448	4304	s-etup.exe	104
PID 4304 wrote to memory of 4448	4304	s-etup.exe	104
PID 4448 wrote to memory of 3064	4448	s-etup.exe	105
PID 4448 wrote to memory of 3064	4448	s-etup.exe	105
PID 4448 wrote to memory of 3064	4448	s-etup.exe	105
PID 4448 wrote to memory of 3064	4448	s-etup.exe	105
PID 4448 wrote to memory of 3064	4448	s-etup.exe	105
PID 2088 wrote to memory of 3700	2088	msiexec.exe	117
PID 2088 wrote to memory of 3700	2088	msiexec.exe	117
PID 2088 wrote to memory of 1272	2088	msiexec.exe	119
PID 2088 wrote to memory of 1272	2088	msiexec.exe	119
PID 2088 wrote to memory of 1272	2088	msiexec.exe	119
PID 4052 wrote to memory of 4512	4052	MsiExec.exe	120
PID 4052 wrote to memory of 4512	4052	MsiExec.exe	120
PID 4052 wrote to memory of 4512	4052	MsiExec.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2872
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe
"C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 472
      4⤵
      Program crash
      PID:4024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 488
      4⤵
      Program crash
      PID:4048
- C:\Program Files (x86)\Power-user Premium\Power-user.exe
  "C:\Program Files (x86)\Power-user Premium\Power-user.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe
    C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}" /IS_temp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\MSIEXEC.EXE
      "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 73E6A50220E77FE9A74BB1C7EAB26A78 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe" -addstore -user TrustedPublisher "C:\Users\Admin\AppData\Local\Power-user\power_user.cer"
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    PID:4512
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3700
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8104AA22234C309DAF5ABCD14E2B0A20
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 4448
1⤵
PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58486f.rbs

Filesize
52KB

MD5
1eb3f2056f873edb4fc7b55c4baa2cf8

SHA1
56f242f245d9a31326113735d744f0e8e0a705fc

SHA256
a13662db6b859d2a6a464771cdfd4da8dfdd32bb1bdde3294ac50e64ffdf97b6

SHA512
61448ebc952dd9210dc551d2a32b1cb307ae17c979556de3864972384b32e50ff7140ffbb00b2226fef8066323a9f8bce5a51538c714a42a4f74cee224211126

Download Submit
C:\Program Files (x86)\Power-user Premium\Power-user.exe

Filesize
14.6MB

MD5
c95da98a5c79298bdde4c4a6f41405c5

SHA1
73492ba3c4c3f006b6578a54749cd4d41df24cc8

SHA256
85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8

SHA512
fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi

Filesize
14.6MB

MD5
2f2e55b11f9543755eab88de9bb1b28d

SHA1
8c53204d31b6ea02a9de45ad3be0362bc3c77b7e

SHA256
42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9

SHA512
cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef

Download Submit
C:\Users\Admin\AppData\Local\Power-user\power_user.cer

Filesize
2KB

MD5
d857b21dd3e5f5557486ea92ac5cbf7c

SHA1
a413305b2d36c51687a4ad66fb72c91fe7c2bb98

SHA256
59bd1f089730b07d8683df99ca812eb15f8188cc6d82c0eef6f6480fea7d8368

SHA512
3b96ad68e39494f345b363bc8ea32d0c2857421d5e577dfb78d3ac2ca046eb29f168c14a5d2af9894dc1f6214add118ad1e8ba26f8991115676c89469424308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
549KB

MD5
0b24892597dcb0257cdb78b5ed165218

SHA1
5fe5d446406ff1e34d2fe3ee347769941636e323

SHA256
707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71

SHA512
24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE37A.tmp

Filesize
153KB

MD5
1780f8e73ba9c7c976938655ca67ede1

SHA1
52ea389894f1444e58bba86984c5697a592a6365

SHA256
11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28

SHA512
d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe

Filesize
2.7MB

MD5
a0fab21c52fb92a79bc492d2eb91d1d6

SHA1
03d14da347c554669916d60e24bee1b540c2822e

SHA256
e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

SHA512
e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\files925.zip

Filesize
9.9MB

MD5
ea79b672e19fb5eecf77291b0a3014fe

SHA1
5e90a7e7e7d53c408352390cef6870ddfdd2acae

SHA256
9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9

SHA512
c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvAEDE.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvAEDE.tmp\nsExec.dll

Filesize
7KB

MD5
2746f5b49ef1a2d17a1d4a290dc45615

SHA1
26e98eea903b5f34812885ec289e82bcdaeaac07

SHA256
24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd

SHA512
2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Setup.INI

Filesize
5KB

MD5
0cc03f97e3ab616b381d0065bec36ec6

SHA1
135e8779fefdf224e5fa53badb92dc7934b6acc0

SHA256
3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7

SHA512
7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI

Filesize
612B

MD5
6d7d0b7039ed35dd064c3319121c5d30

SHA1
aaead414c59db3e26fcc35c3e6691a760d4bd383

SHA256
a168e5084baaa1e72cdb891bc851260e83a6c54493bb15d2ae1d246f9ff6e832

SHA512
b57e72c0c644628442448fb2a711c9e789fee684df9b9ffea116369bd775991d0c2fd8991425ed73535ac9e94fc78b1b45d0cc809e5fc6c97ffe37213974fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI

Filesize
804B

MD5
53f4c36ee01ea8a8be9dd6f6fcc2a84e

SHA1
d98ef3c0466d5055c5e3df8e3dd3a330e03fe7b9

SHA256
f7f2366e62a18b52b384ee382a38f63df3225bbf6ce3d4ba76c26f26e3e8065e

SHA512
063c0751d4c9173e6e822c264b9e3ae6df6407b22cf36237fbcaef66731e5981843ee0e8a705200b1847770a0b8b9fc575ea0ff2caa1e1edf420fff216b90e33

Download Submit
C:\Windows\Installer\MSI4958.tmp

Filesize
105KB

MD5
b7aebfb0e4e94cfa1db8343ae40c482d

SHA1
06b2cbac0dd310123b33a3bea48ca7c432870a93

SHA256
41872842b9ac520ee003e0fa31a4671659d54e1510fcd9c568358425f4630e2b

SHA512
4352e89d9dab0f17bfac8eb3c8e1391cb0577a6167d3f5423213a1e8f0da2255981ecea24e4c5875cc6e9a446ec06dbf6fb32a2261a3322a8c76796483d5a5a8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
f195280fe7865fedadc4861c03fe65dc

SHA1
0cc71e5d07316fd9548eb82f7e32293782db7c46

SHA256
26b762ed685b6fe0219ebfc010104d259218eff9e7b52dc04b56564fb4976ceb

SHA512
05f078f3f68af043701bfe04f150c4dfe8842961b8339626f8b48492c0994ec73a51492cc14b08604b0e90ca2be599794fbe43faaeffa2fce53ec3dd7f38b9c0

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f66e9346-2c1b-4c1d-b3af-339e5fa4e121}_OnDiskSnapshotProp

Filesize
6KB

MD5
0544b3c647a8abf7431a61814a5c51f1

SHA1
decce2a4cd57f68f7b728669f8fe463dd9380465

SHA256
128dc8e9f6780fe705d4d5492af3fbaf91a3e5395232fd1c3d0754ffcf721e26

SHA512
4b31559bc83e0db4b7ec35a0453c63ddec4b07f67b492126b01b98d730319bc9bd1b74368599f3539faa0c95ec7160dcfcef9c78bf52dd11d4059ee5e306382a

Download Submit
memory/3064-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-120-0x00000000021B0000-0x00000000025B0000-memory.dmp

Filesize
4.0MB

Download
memory/3064-123-0x00000000756F0000-0x0000000075905000-memory.dmp

Filesize
2.1MB

Download
memory/3064-121-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

Filesize
2.0MB

Download
memory/4304-109-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4304-108-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4304-30-0x00000000000E0000-0x0000000000A67000-memory.dmp

Filesize
9.5MB

Download
memory/4304-103-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4304-101-0x00000000000E0000-0x0000000000A67000-memory.dmp

Filesize
9.5MB

Download
memory/4304-102-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4304-104-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4304-105-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4448-114-0x0000000004110000-0x0000000004510000-memory.dmp

Filesize
4.0MB

Download
memory/4448-107-0x0000000001370000-0x00000000013EE000-memory.dmp

Filesize
504KB

Download
memory/4448-111-0x0000000001370000-0x00000000013EE000-memory.dmp

Filesize
504KB

Download
memory/4448-113-0x0000000004110000-0x0000000004510000-memory.dmp

Filesize
4.0MB

Download
memory/4448-115-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

Filesize
2.0MB

Download
memory/4448-117-0x00000000756F0000-0x0000000075905000-memory.dmp

Filesize
2.1MB

Download