Overview

overview

10

Static

static

1

406a4764d2...a0.msi

windows7-x64

10

406a4764d2...a0.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

  • Size

    2.5MB

  • MD5

    e0808992ec58411df693995c7edae88c

  • SHA1

    00e02a807c815debbdfec793f785aaa4b7d1609e

  • SHA256

    406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0

  • SHA512

    bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

  • SSDEEP

    49152:ZiSoOl+YyNuCClJkqr6zeM4I/157fW8KvK18hZ6/MJ5:Zt7+YJCCvkP4Id59KvKiZCMf

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://193.201.9.187:2049/702b68a7ca7f5b9/kep2tv4g.ckevt

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2200
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
      "C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
        C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3032
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2584
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000404" "00000000000003E0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f773af0.rbs
    Filesize

    8KB

    MD5

    d0fdaa33c3ddd010713b7e764ce95606

    SHA1

    e858c00548dcdbdb5c58c33a7b6ba2679938ebf1

    SHA256

    f4dd3532b87d20bc1b30b5dd499eb278efde36dc79ab1b1161fe961ee6e64b80

    SHA512

    6b11f23bc4139aefa9e5a346a4b25416167f73c713f6f423c31600c9cb676fb24aa005d398442f15ed08e643abbcf714d858abea6c9b18238029bb4a18c801fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\CrashRpt.dll
    Filesize

    121KB

    MD5

    b2d1f5e4a1f0e8d85f0a8aeb7b8148c7

    SHA1

    871078213fcc0ce143f518bd69caa3156b385415

    SHA256

    c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386

    SHA512

    1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
    Filesize

    1.7MB

    MD5

    ba699791249c311883baa8ce3432703b

    SHA1

    f8734601f9397cb5ebb8872af03f5b0639c2eac6

    SHA256

    7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

    SHA512

    6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\cv099.dll
    Filesize

    664KB

    MD5

    2a8b33fee2f84490d52a3a7c75254971

    SHA1

    16ce2b1632a17949b92ce32a6211296fee431dca

    SHA256

    faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

    SHA512

    8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll
    Filesize

    908KB

    MD5

    286284d4ae1c67d0d5666b1417dcd575

    SHA1

    8b8a32577051823b003c78c86054874491e9ecfa

    SHA256

    37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

    SHA512

    2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll
    Filesize

    487KB

    MD5

    c36f6e088c6457a43adb7edcd17803f3

    SHA1

    b25b9fb4c10b8421c8762c7e7b3747113d5702de

    SHA256

    8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

    SHA512

    87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\gxfiogr
    Filesize

    51KB

    MD5

    b590c33dd2a4c8ddedda46028181a405

    SHA1

    b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3

    SHA256

    862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8

    SHA512

    e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll
    Filesize

    388KB

    MD5

    a354c42fcb37a50ecad8dde250f6119e

    SHA1

    0eb4ad5e90d28a4a8553d82cec53072279af1961

    SHA256

    89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

    SHA512

    981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

    Download Submit

  • C:\Users\Admin\AppData\Local\Eponychium\rsjddfw
    Filesize

    896KB

    MD5

    666447d9f86fa84149f374c0f1eb2f90

    SHA1

    9eb18eb892756e48428767d11435750ca458c9fb

    SHA256

    a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011

    SHA512

    dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2357abf6
    Filesize

    1.1MB

    MD5

    77e37b5a3b9d46b6d059b0292a64e0ab

    SHA1

    38314685820ce9278c7ac94b0016147bd8b6ae58

    SHA256

    d734228d26eabc716028359599c4b3588874523a6e0330d85a68d0d6b02123ec

    SHA512

    cede3c41664c4d7f0bf9f0ad6904dce442370d9c4362aaa1e36ecfc3e4e600a8b6ee6f8568f54cbe397133d2d9253515083e9a590302a39c87d66c40d40138d5

    Download Submit

  • C:\Windows\Installer\f773aee.msi
    Filesize

    2.5MB

    MD5

    e0808992ec58411df693995c7edae88c

    SHA1

    00e02a807c815debbdfec793f785aaa4b7d1609e

    SHA256

    406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0

    SHA512

    bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

    Download Submit

  • \Users\Admin\AppData\Local\Eponychium\dbghelp.dll
    Filesize

    478KB

    MD5

    aa1594596fa19609555e317d9b64be6a

    SHA1

    924b08d85b537be52142965c3ad33c01b457ea83

    SHA256

    5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79

    SHA512

    759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

    Download Submit

  • memory/1808-98-0x00000000777A0000-0x0000000077949000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1808-99-0x00000000749C0000-0x0000000074B34000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1880-54-0x0000000074A50000-0x0000000074BC4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1880-46-0x0000000000360000-0x00000000003C2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1880-38-0x0000000000130000-0x000000000021C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/1880-42-0x00000000002A0000-0x000000000034D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/1880-55-0x00000000777A0000-0x0000000077949000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2776-85-0x00000000001D0000-0x0000000000232000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2776-94-0x00000000777A0000-0x0000000077949000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2776-95-0x00000000749C0000-0x0000000074B34000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2776-93-0x00000000749C0000-0x0000000074B34000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2776-81-0x0000000000BB0000-0x0000000000C5D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2776-77-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/3032-101-0x0000000000080000-0x0000000000100000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3032-108-0x00000000777A0000-0x0000000077949000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3032-109-0x0000000000080000-0x0000000000100000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3032-111-0x0000000000080000-0x0000000000100000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3032-112-0x0000000000080000-0x0000000000100000-memory.dmp

    Filesize

    512KB

    Download