rhadamanthys | ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a

Analysis

max time kernel
113s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
Size

15.1MB
MD5

4247605d401ed13d7584377852052793
SHA1

9456200c2cc28957491a3e9709acbe6fb834a687
SHA256

ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a
SHA512

8a1aa03b57ed8778fa1ae9d449dfd34fc514dd38bdccad39c0095540ff745fbb784b35061c8d9d214054ad5004dbde31430395fc1d9d1c1ac52c19cfb52bf3a2
SSDEEP

393216:Vn8IgucBc26M/Rovs1B7I5RmPAfAmYKYUC0sdeC:58ju8c26MZo26FrYdhYC

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1392 created 2680	1392	s-etup.exe	44

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F35FD2B58CEAAC0D48B00914094C5D6C3E3E2164\Blob = 030000000100000014000000f35fd2b58ceaac0d48b00914094c5d6c3e3e21642000000001000000de060000308206da30820542a00302010202103e94afbaa7fddde1a3f9cb164bef725a300d06092a864886f70d01010b05003057310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312e302c060355040313255365637469676f205075626c696320436f6465205369676e696e6720434120455620523336301e170d3233303832343030303030305a170d3236303832333233353935395a30819a311a301806035504051311383133203632332037333320303030333331133011060b2b0601040182373c02010313024652311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b30090603550406130246523111300f06035504080c084272657461676e6531133011060355040a0c0a506f7765722d757365723113301106035504030c0a506f7765722d7573657230820222300d06092a864886f70d01010105000382020f003082020a0282020100cae1440dedfea9629f012d3e0f2380016585bece7940f2af8c91297d7c788ffc2d103676f377b856d80d89dfb0de959837cfb2cba3f60f0d4d27ade4b42038551fc3225a4565012cd6b7f7c719bf43cb123990fe0ac2b910e657baa30736696fc0e98f534c1183b7b4acec8d9426bf21f22f703fade6d133db5398c0e12f9046d820fcf2bfdddfb7de3a75b156d0a3f6fed4dcaeb20cdef8c3a27d1445a60901f51adc6ad37242cedcee7bcfb1796631f54dff0024e1105f406e95fd77c51a9fb77b5ce8db11414acaebf0b26193c6f4ca1addae9ef334a603d9f392075dfb8c5f9bb86f9f14440768aae8fe5206cfa1db1546faf192e85af1f60e0954d7661cd58e87a5e3e68e592d0876f64ee27597cc87d5da265c05239b8ed9b1977da7cc1553776acd35e52635e29c92423e5cf32069669c481be5d5ba6d016e7ee132b7a458e14c81e3604c4184c88db4266a40be67f3f62c8fc4a5d521c04cd193d07147bcd67d3b8de77e2586fa1fed555cbd73bf82792612efe2e0a79d2080e9c65749889f6248eae338651f7468d16e23c6ff7a4375cf490a79e845877308eb9d35270246ad3d125f07365cdf31f0bf029d0532e40526657b0f437b9cf5925dd6a23d0c1bcb708bfe2b7ac211f4e7409277e3624eb441bd118eac17d71adede2fcd20909e76f17f8b4002d8dfcb32fa01f4146bcaf43a002bb0796d1d45ff8256f90203010001a38201dc308201d8301f0603551d23041830168014813292412b28cd46c8c4a2c62a3912ec48a93f14301d0603551d0e04160414bf78f22103150a78fa27cb52096ece4e39ba23d6300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b0601050507030330490603551d20044230403035060c2b06010401b23101020106013025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533007060567810c0103304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d304e0603551d1104473045a02406082b06010505070803a01830160c1446522d3831332036323320373333203030303333811d6f6c697669657240706f77657275736572736f6674776172652e636f6d300d06092a864886f70d01010b0500038201810004942aaf9b3ebb785e8cf63d72b07114a2b2f530c66708ffc0e74b59c22921dac58e24084b2ecd9a933b46e914425f9063f1c60814e4fafeeb6d5cbeb2bbc417c3a638c5c193c2cb286aafc10ef6532c1e364b17c65b44e21aa1f2d42e32e64350721e2c3b9adfe73f8f1a7c0ffd17c38e9c5060f36111d6ace67a6c24d6327e3deca05d8a50e64d9068842860e19731d2973fc26fed6f06cdc12afdc5f23d11d5fbd72a3ddb83e20bfeaafa373bde823db17a2c9f79dc5bb7f6991aeea8f3d97a85e84a83ea8f1f7dc66819f5312268bf0f9748f6e789ba0ce4d133d35e14879f23e6c02bf6a4003d6879d219a2d34074dd953bb824c685ce834e475b74a8dfa03f1f563892b8e31a410c8f045fbeef884d8a8f4f04413dc2408c3702496dc4f4ba1415e09022da7a7544ffe96324cab03356ba9740552f8a4b0d94621d8d672b215b90b293c7b3f14525e1ce6c6aa2b6d801474204e683f72488d27ec43a5e54f74a7ea6ba6f9aaf83f94fb4ad45eecfc52ba7331ec7ee5aa7800414085427	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 5 IoCs

pid	Process
2952	7z.exe
4872	s-etup.exe
2996	Power-user.exe
4944	Power-user.exe
1392	s-etup.exe

Loads dropped DLL 6 IoCs

pid	Process
3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
2952	7z.exe
4872	s-etup.exe
2536	MsiExec.exe
4028	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c92-28.dat	upx
behavioral2/memory/4872-30-0x0000000000B70000-0x00000000014F7000-memory.dmp	upx
behavioral2/memory/4872-101-0x0000000000B70000-0x00000000014F7000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Power-user Premium\Power-user.exe	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
File opened for modification	C:\Program Files (x86)\Power-user Premium\Power-user.exe	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e582102.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582100.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5DB13158-EC76-489E-B122-1AE35DB2CA74}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22E6.tmp	msiexec.exe
File created	C:\Windows\Installer\e582100.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2239.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4168	1392	WerFault.exe	104
4500	1392	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Power-user.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Power-user.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1392	s-etup.exe
1392	s-etup.exe
724	openwith.exe
724	openwith.exe
724	openwith.exe
724	openwith.exe
4960	msiexec.exe
4960	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2952	7z.exe
Token: 35	2952	7z.exe
Token: SeSecurityPrivilege	2952	7z.exe
Token: SeSecurityPrivilege	2952	7z.exe
Token: SeShutdownPrivilege	3540	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3540	MSIEXEC.EXE
Token: SeSecurityPrivilege	4960	msiexec.exe
Token: SeCreateTokenPrivilege	3540	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3540	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3540	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3540	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3540	MSIEXEC.EXE
Token: SeTcbPrivilege	3540	MSIEXEC.EXE
Token: SeSecurityPrivilege	3540	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3540	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3540	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3540	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3540	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3540	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3540	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3540	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3540	MSIEXEC.EXE
Token: SeBackupPrivilege	3540	MSIEXEC.EXE
Token: SeRestorePrivilege	3540	MSIEXEC.EXE
Token: SeShutdownPrivilege	3540	MSIEXEC.EXE
Token: SeDebugPrivilege	3540	MSIEXEC.EXE
Token: SeAuditPrivilege	3540	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3540	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3540	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3540	MSIEXEC.EXE
Token: SeUndockPrivilege	3540	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3540	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3540	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3540	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3540	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3540	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3540	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3540	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3540	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3540	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3540	MSIEXEC.EXE
Token: SeTcbPrivilege	3540	MSIEXEC.EXE
Token: SeSecurityPrivilege	3540	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3540	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3540	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3540	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3540	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3540	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3540	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3540	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3540	MSIEXEC.EXE
Token: SeBackupPrivilege	3540	MSIEXEC.EXE
Token: SeRestorePrivilege	3540	MSIEXEC.EXE
Token: SeShutdownPrivilege	3540	MSIEXEC.EXE
Token: SeDebugPrivilege	3540	MSIEXEC.EXE
Token: SeAuditPrivilege	3540	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3540	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3540	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3540	MSIEXEC.EXE
Token: SeUndockPrivilege	3540	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3540	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3540	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3540	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3540	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3540	MSIEXEC.EXE
3540	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 2952	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	89
PID 3700 wrote to memory of 2952	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	89
PID 3700 wrote to memory of 4872	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	93
PID 3700 wrote to memory of 4872	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	93
PID 3700 wrote to memory of 4872	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	93
PID 3700 wrote to memory of 2996	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	95
PID 3700 wrote to memory of 2996	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	95
PID 3700 wrote to memory of 2996	3700	ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe	95
PID 2996 wrote to memory of 4944	2996	Power-user.exe	96
PID 2996 wrote to memory of 4944	2996	Power-user.exe	96
PID 2996 wrote to memory of 4944	2996	Power-user.exe	96
PID 4944 wrote to memory of 3540	4944	Power-user.exe	99
PID 4944 wrote to memory of 3540	4944	Power-user.exe	99
PID 4944 wrote to memory of 3540	4944	Power-user.exe	99
PID 4960 wrote to memory of 2536	4960	msiexec.exe	102
PID 4960 wrote to memory of 2536	4960	msiexec.exe	102
PID 4960 wrote to memory of 2536	4960	msiexec.exe	102
PID 4872 wrote to memory of 1392	4872	s-etup.exe	104
PID 4872 wrote to memory of 1392	4872	s-etup.exe	104
PID 4872 wrote to memory of 1392	4872	s-etup.exe	104
PID 4872 wrote to memory of 1392	4872	s-etup.exe	104
PID 4872 wrote to memory of 1392	4872	s-etup.exe	104
PID 1392 wrote to memory of 724	1392	s-etup.exe	105
PID 1392 wrote to memory of 724	1392	s-etup.exe	105
PID 1392 wrote to memory of 724	1392	s-etup.exe	105
PID 1392 wrote to memory of 724	1392	s-etup.exe	105
PID 1392 wrote to memory of 724	1392	s-etup.exe	105
PID 4960 wrote to memory of 3184	4960	msiexec.exe	116
PID 4960 wrote to memory of 3184	4960	msiexec.exe	116
PID 4960 wrote to memory of 4028	4960	msiexec.exe	118
PID 4960 wrote to memory of 4028	4960	msiexec.exe	118
PID 4960 wrote to memory of 4028	4960	msiexec.exe	118
PID 2536 wrote to memory of 1664	2536	MsiExec.exe	119
PID 2536 wrote to memory of 1664	2536	MsiExec.exe	119
PID 2536 wrote to memory of 1664	2536	MsiExec.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2680
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:724

C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
"C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 432
      4⤵
      Program crash
      PID:4168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 196
      4⤵
      Program crash
      PID:4500
- C:\Program Files (x86)\Power-user Premium\Power-user.exe
  "C:\Program Files (x86)\Power-user Premium\Power-user.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe
    C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}" /IS_temp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\MSIEXEC.EXE
      "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C95FDFDF6CEABFBA91F458FB272AB87E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe" -addstore -user TrustedPublisher "C:\Users\Admin\AppData\Local\Power-user\power_user.cer"
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    PID:1664
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A9240E591F55C9BDC0C5BAF686D8C5EB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1392 -ip 1392
1⤵
PID:4016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582101.rbs

Filesize
52KB

MD5
236f17f481326f5b73d42615a374af01

SHA1
e32eac7eb841339de8fd0eef370f79f783ff660d

SHA256
add339bca6541ad8711b6a9464cd392f17335609d74b4be98de1d88a50190ca5

SHA512
2d317ae1dd938fd763840c34bf728f7abd8e5287e7e3610e1647cd3cc834e4dfbdc30e18dec7035f91a7cb7af8c6d723a226a64784f1afb562795af5dd8d84ba

Download Submit
C:\Program Files (x86)\Power-user Premium\Power-user.exe

Filesize
14.6MB

MD5
c95da98a5c79298bdde4c4a6f41405c5

SHA1
73492ba3c4c3f006b6578a54749cd4d41df24cc8

SHA256
85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8

SHA512
fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi

Filesize
14.6MB

MD5
2f2e55b11f9543755eab88de9bb1b28d

SHA1
8c53204d31b6ea02a9de45ad3be0362bc3c77b7e

SHA256
42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9

SHA512
cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef

Download Submit
C:\Users\Admin\AppData\Local\Power-user\power_user.cer

Filesize
2KB

MD5
d857b21dd3e5f5557486ea92ac5cbf7c

SHA1
a413305b2d36c51687a4ad66fb72c91fe7c2bb98

SHA256
59bd1f089730b07d8683df99ca812eb15f8188cc6d82c0eef6f6480fea7d8368

SHA512
3b96ad68e39494f345b363bc8ea32d0c2857421d5e577dfb78d3ac2ca046eb29f168c14a5d2af9894dc1f6214add118ad1e8ba26f8991115676c89469424308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
549KB

MD5
0b24892597dcb0257cdb78b5ed165218

SHA1
5fe5d446406ff1e34d2fe3ee347769941636e323

SHA256
707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71

SHA512
24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB46B.tmp

Filesize
153KB

MD5
1780f8e73ba9c7c976938655ca67ede1

SHA1
52ea389894f1444e58bba86984c5697a592a6365

SHA256
11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28

SHA512
d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe

Filesize
2.7MB

MD5
a0fab21c52fb92a79bc492d2eb91d1d6

SHA1
03d14da347c554669916d60e24bee1b540c2822e

SHA256
e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

SHA512
e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\files925.zip

Filesize
9.9MB

MD5
ea79b672e19fb5eecf77291b0a3014fe

SHA1
5e90a7e7e7d53c408352390cef6870ddfdd2acae

SHA256
9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9

SHA512
c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FEF.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FEF.tmp\nsExec.dll

Filesize
7KB

MD5
2746f5b49ef1a2d17a1d4a290dc45615

SHA1
26e98eea903b5f34812885ec289e82bcdaeaac07

SHA256
24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd

SHA512
2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Setup.INI

Filesize
5KB

MD5
0cc03f97e3ab616b381d0065bec36ec6

SHA1
135e8779fefdf224e5fa53badb92dc7934b6acc0

SHA256
3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7

SHA512
7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI

Filesize
612B

MD5
7361deebe35b386e324f42f1cc05e272

SHA1
d3cb2ed1376a2c63cbb002270a69d8e7aae432f5

SHA256
444421bd1fac2ff6fc92e6adc12efefc4a42bb11bad2e48273cbc946e549d64a

SHA512
dd45ea40b5923cc98042c2fa9aa49dc34f33c0893062842f2d6cd10072f7456d4d0eb8f9d9fdde7c9996e1013e6b1013c892ea2e81661dc882881f299615047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI

Filesize
804B

MD5
4d550dbe57355d43809f55ddd6544906

SHA1
32c8257947ad1d8f8669cd672c88015b613578d2

SHA256
024b3bcb11087e69d0b2126fa4c137708912de0d3cdb078298f6eb90277816ea

SHA512
ec2e925ecbf72b0409eba4a8abe6d2771b97675192df0a9699b624c697684f8e1f1f96bf60cb6e59d4eb76cb23239ac32912b8ea80eb34a4fed75290a16c7229

Download Submit
C:\Windows\Installer\MSI2239.tmp

Filesize
105KB

MD5
b7aebfb0e4e94cfa1db8343ae40c482d

SHA1
06b2cbac0dd310123b33a3bea48ca7c432870a93

SHA256
41872842b9ac520ee003e0fa31a4671659d54e1510fcd9c568358425f4630e2b

SHA512
4352e89d9dab0f17bfac8eb3c8e1391cb0577a6167d3f5423213a1e8f0da2255981ecea24e4c5875cc6e9a446ec06dbf6fb32a2261a3322a8c76796483d5a5a8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5dbf4db6455a34df103e2dfd49b2e833

SHA1
506ea79df9cbbb51be2098ee1fa821b632b52087

SHA256
b041d6132f5bbcb79f4ceea6d684603c208a3dd302131370c6c6a5ac8e21919f

SHA512
2977d89d5fccc14ff7e9f7f052e9cf7f650f154b88c348c3e6dee7ae8bd94cb94813dba363a6e2c3d3b3df981955ccb2806f6350697ddacbc0b21a3fb5502dc5

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef56b60a-a1be-400e-88c5-eb9203546a01}_OnDiskSnapshotProp

Filesize
6KB

MD5
2ffb9ad2c28004d846ca8156fb667333

SHA1
a6a2d23c7c7f996841dd872be9ec774405f91a82

SHA256
e5ae6ea7302e74467b7e15d0660b230f18e381e632aa6559f1aeae47e734082f

SHA512
9a267ccb96d190bb8137dfa0a2bd583ad564168b56abff17e946dce5387dbdcd0313aeb7bd0aed19371bc2cb5462e8fa42bfe96ec877de89d19fc59cc68ee01e

Download Submit
memory/724-118-0x0000000000A90000-0x0000000000A99000-memory.dmp

Filesize
36KB

Download
memory/724-121-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

Filesize
2.0MB

Download
memory/724-120-0x00000000027E0000-0x0000000002BE0000-memory.dmp

Filesize
4.0MB

Download
memory/724-123-0x0000000075680000-0x0000000075895000-memory.dmp

Filesize
2.1MB

Download
memory/1392-115-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

Filesize
2.0MB

Download
memory/1392-112-0x0000000001800000-0x000000000187E000-memory.dmp

Filesize
504KB

Download
memory/1392-117-0x0000000075680000-0x0000000075895000-memory.dmp

Filesize
2.1MB

Download
memory/1392-107-0x0000000001800000-0x000000000187E000-memory.dmp

Filesize
504KB

Download
memory/1392-114-0x0000000004640000-0x0000000004A40000-memory.dmp

Filesize
4.0MB

Download
memory/1392-113-0x0000000004640000-0x0000000004A40000-memory.dmp

Filesize
4.0MB

Download
memory/4872-108-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-103-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-109-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-105-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-104-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-102-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/4872-101-0x0000000000B70000-0x00000000014F7000-memory.dmp

Filesize
9.5MB

Download
memory/4872-30-0x0000000000B70000-0x00000000014F7000-memory.dmp

Filesize
9.5MB

Download