Analysis
-
max time kernel
139s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 23:46
Behavioral task
behavioral1
Sample
LXN.exe
Resource
win10v2004-20241007-en
General
-
Target
LXN.exe
-
Size
423KB
-
MD5
b4f902709f1ac4b9bdd0be05c9d3cc4c
-
SHA1
2a6d8f3f52826c9d532497958b0047b89d444f35
-
SHA256
3b4a1126725e6029e56fae177fdf0869594528b7c48d7cde366fcefb946672e3
-
SHA512
61d8f750b94702d199500176edf1e45e0dbcbe87e486e6dd7c8c408e0cd80ad2cd5d6579524b52f2080c320532ec7113e90691d6294dcfc23c4aa64dccfb0172
-
SSDEEP
6144:YAYM3ZEWqf/qwPF7LR5W8ZJ74zmRiOFBbMh9q/JSW3ChNeK06iiRzmi0F9:YWBqf/qq3R5W8ZB4zmRzbaBsViRUF9
Malware Config
Extracted
rhadamanthys
https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2504 created 2556 2504 LXN.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LXN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2504 LXN.exe 2504 LXN.exe 3556 openwith.exe 3556 openwith.exe 3556 openwith.exe 3556 openwith.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3556 2504 LXN.exe 89 PID 2504 wrote to memory of 3556 2504 LXN.exe 89 PID 2504 wrote to memory of 3556 2504 LXN.exe 89 PID 2504 wrote to memory of 3556 2504 LXN.exe 89 PID 2504 wrote to memory of 3556 2504 LXN.exe 89
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\LXN.exe"C:\Users\Admin\AppData\Local\Temp\LXN.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504