rhadamanthys | 17ef63395dd24979aeaf6bae39cc015ab6f2c4f1a636b2f7d376428a0d072ef8

Resubmissions

22-10-2024 20:31

241022-za7m8avdpm 10

22-10-2024 20:06

241022-yvkhra1gpc 7

Analysis

max time kernel
205s
max time network
215s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
22-10-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gatherum Installer.exe
Size

49.7MB
MD5

e3037737b8f93aba2883cf659ec8d03e
SHA1

d29ab97312396bb9c1e7edd803b46954500e5bd8
SHA256

17ef63395dd24979aeaf6bae39cc015ab6f2c4f1a636b2f7d376428a0d072ef8
SHA512

6a4be06dec84ee12510630bdb340d0d8f79b2897ba0f7fcf2782ee1c881fcd81468a37e24cb2a58ee9629b6b641c2f6a2eed384659226f58bb9136eb8bf6cda6
SSDEEP

1572864:L9QC1e8qh+C1eU2qHMbgjTE/VYfC+Z3Y/:L1e8qhvx6g9Cs3Y/

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5984 created 2760	5984	YmVhMjk2M2.exe	48

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5228	powershell.exe
1108	powershell.exe
3648	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2104	GatherumApp.exe
5984	YmVhMjk2M2.exe

Loads dropped DLL 3 IoCs

pid	Process
2104	GatherumApp.exe
2104	GatherumApp.exe
2104	GatherumApp.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4440	5984	WerFault.exe	79
4312	5984	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gatherum Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YmVhMjk2M2.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5228	powershell.exe
5228	powershell.exe
5228	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
5984	YmVhMjk2M2.exe
5984	YmVhMjk2M2.exe
3132	openwith.exe
3132	openwith.exe
3132	openwith.exe
3132	openwith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	GatherumApp.exe
Token: SeDebugPrivilege	5228	powershell.exe
Token: SeIncreaseQuotaPrivilege	5228	powershell.exe
Token: SeSecurityPrivilege	5228	powershell.exe
Token: SeTakeOwnershipPrivilege	5228	powershell.exe
Token: SeLoadDriverPrivilege	5228	powershell.exe
Token: SeSystemProfilePrivilege	5228	powershell.exe
Token: SeSystemtimePrivilege	5228	powershell.exe
Token: SeProfSingleProcessPrivilege	5228	powershell.exe
Token: SeIncBasePriorityPrivilege	5228	powershell.exe
Token: SeCreatePagefilePrivilege	5228	powershell.exe
Token: SeBackupPrivilege	5228	powershell.exe
Token: SeRestorePrivilege	5228	powershell.exe
Token: SeShutdownPrivilege	5228	powershell.exe
Token: SeDebugPrivilege	5228	powershell.exe
Token: SeSystemEnvironmentPrivilege	5228	powershell.exe
Token: SeRemoteShutdownPrivilege	5228	powershell.exe
Token: SeUndockPrivilege	5228	powershell.exe
Token: SeManageVolumePrivilege	5228	powershell.exe
Token: 33	5228	powershell.exe
Token: 34	5228	powershell.exe
Token: 35	5228	powershell.exe
Token: 36	5228	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeIncreaseQuotaPrivilege	1108	powershell.exe
Token: SeSecurityPrivilege	1108	powershell.exe
Token: SeTakeOwnershipPrivilege	1108	powershell.exe
Token: SeLoadDriverPrivilege	1108	powershell.exe
Token: SeSystemProfilePrivilege	1108	powershell.exe
Token: SeSystemtimePrivilege	1108	powershell.exe
Token: SeProfSingleProcessPrivilege	1108	powershell.exe
Token: SeIncBasePriorityPrivilege	1108	powershell.exe
Token: SeCreatePagefilePrivilege	1108	powershell.exe
Token: SeBackupPrivilege	1108	powershell.exe
Token: SeRestorePrivilege	1108	powershell.exe
Token: SeShutdownPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeSystemEnvironmentPrivilege	1108	powershell.exe
Token: SeRemoteShutdownPrivilege	1108	powershell.exe
Token: SeUndockPrivilege	1108	powershell.exe
Token: SeManageVolumePrivilege	1108	powershell.exe
Token: 33	1108	powershell.exe
Token: 34	1108	powershell.exe
Token: 35	1108	powershell.exe
Token: 36	1108	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeIncreaseQuotaPrivilege	3648	powershell.exe
Token: SeSecurityPrivilege	3648	powershell.exe
Token: SeTakeOwnershipPrivilege	3648	powershell.exe
Token: SeLoadDriverPrivilege	3648	powershell.exe
Token: SeSystemProfilePrivilege	3648	powershell.exe
Token: SeSystemtimePrivilege	3648	powershell.exe
Token: SeProfSingleProcessPrivilege	3648	powershell.exe
Token: SeIncBasePriorityPrivilege	3648	powershell.exe
Token: SeCreatePagefilePrivilege	3648	powershell.exe
Token: SeBackupPrivilege	3648	powershell.exe
Token: SeRestorePrivilege	3648	powershell.exe
Token: SeShutdownPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeSystemEnvironmentPrivilege	3648	powershell.exe
Token: SeRemoteShutdownPrivilege	3648	powershell.exe
Token: SeUndockPrivilege	3648	powershell.exe
Token: SeManageVolumePrivilege	3648	powershell.exe
Token: 33	3648	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2104	4032	Gatherum Installer.exe	71
PID 4032 wrote to memory of 2104	4032	Gatherum Installer.exe	71
PID 2104 wrote to memory of 5228	2104	GatherumApp.exe	72
PID 2104 wrote to memory of 5228	2104	GatherumApp.exe	72
PID 2104 wrote to memory of 1108	2104	GatherumApp.exe	75
PID 2104 wrote to memory of 1108	2104	GatherumApp.exe	75
PID 2104 wrote to memory of 3648	2104	GatherumApp.exe	77
PID 2104 wrote to memory of 3648	2104	GatherumApp.exe	77
PID 2104 wrote to memory of 5984	2104	GatherumApp.exe	79
PID 2104 wrote to memory of 5984	2104	GatherumApp.exe	79
PID 2104 wrote to memory of 5984	2104	GatherumApp.exe	79
PID 5984 wrote to memory of 3132	5984	YmVhMjk2M2.exe	81
PID 5984 wrote to memory of 3132	5984	YmVhMjk2M2.exe	81
PID 5984 wrote to memory of 3132	5984	YmVhMjk2M2.exe	81
PID 5984 wrote to memory of 3132	5984	YmVhMjk2M2.exe	81
PID 5984 wrote to memory of 3132	5984	YmVhMjk2M2.exe	81

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

C:\Users\Admin\AppData\Local\Temp\Gatherum Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Gatherum Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe
  C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe
    "C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 544
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 524
      4⤵
      Program crash
      PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1edb4bb8fa72d4bcd8afb39542243461

SHA1
2fb6e0faef3ecab3cc974d106eef3ca3b254a3ef

SHA256
1d94abfbe7738412ba3ad528397776c16b3a8fb8a8f1c029a1c67b4670096089

SHA512
411b190adec161ceb140d25e1601339714349392d8f04f7cb020cb95c86ac14ff0cd750b06833857323d029199d7a87696658e47830addf66e3415621fba0936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38158246f5646e012bde2b94e52674b1

SHA1
7eb69046d182ac64bff0073def6e66c0809b9e07

SHA256
e6a3a45d7b2982231aaed5a5e0288a1a767308fa43f8f72cbc2868545b7c1fa5

SHA512
b3e4e4c7eba7f42a87395a8bbf33dced21fd94872f53218bef9749995dd2fca161a8e5a1c9184ce699d04f6b6a8afa25989db1ef17cf7017a1b10c3d554006fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe

Filesize
17.6MB

MD5
2e56e362d49d8e123073a038fbf91cf6

SHA1
fd5b12eda5de595deaef73ce4b04b71b8ced5c4a

SHA256
ffe3fabdef8b4b0818ddf5ad4a3441792228ce57922e85ff1295903d129d6a29

SHA512
87d3b0503c8c9adac8ec9f44c718bf67ccb68216d98ad3bfc5dbd0d1039290c9b9d4941d6c278fbfe105a20e9a4f8edab0c94c3316b03ee7b7ef218754140d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
03a60a6652caf4f49ea5912ce4e1b33c

SHA1
a0d949d4af7b1048dc55e39d1d1260a1e0660c4f

SHA256
b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3

SHA512
6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
274761a595f86982214221b5685b3218

SHA1
b908013028cb07fb799de2e48b6492404add6069

SHA256
6d5910c0a0a4e3ee8863e4dadc73662d28ae9bfcda4a52960e26c1237386851a

SHA512
3f9cf3d8e428619b798374f2e2a6ef9cf4213428277a74306978552772aae1a4a9ae7247c2dc893c0054d480dda871bbd74b0bc4afd65b0f584958d501ed8867

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
627ecf139beed59b4e1b26caac8f68e4

SHA1
9747fe073aed451c936a66f8ad112bbb1a8c31c8

SHA256
0a01412b64e6889ace8933dd2f559d186b693aefe31e6b084e2d435b1737af39

SHA512
25bdb740039c867ce0cc1347493cf456e32d767c898a683da1306992ae77ed3605612c804c2eae483320f18f2cd0850c17226ef21e09fe07997aa47679b6030e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrmnd1e0.hxs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2104-456-0x0000027687F00000-0x0000027687F20000-memory.dmp

Filesize
128KB

Download
memory/2104-416-0x0000027686B60000-0x0000027686BB0000-memory.dmp

Filesize
320KB

Download
memory/2104-461-0x0000027687F50000-0x0000027687F70000-memory.dmp

Filesize
128KB

Download
memory/2104-421-0x0000027686C00000-0x0000027686C40000-memory.dmp

Filesize
256KB

Download
memory/2104-33-0x0000027684500000-0x0000027684660000-memory.dmp

Filesize
1.4MB

Download
memory/2104-441-0x0000027687E30000-0x0000027687E40000-memory.dmp

Filesize
64KB

Download
memory/2104-436-0x0000027687DF0000-0x0000027687E10000-memory.dmp

Filesize
128KB

Download
memory/2104-426-0x0000027687480000-0x0000027687CB0000-memory.dmp

Filesize
8.2MB

Download
memory/2104-451-0x0000027687EB0000-0x0000027687ED0000-memory.dmp

Filesize
128KB

Download
memory/2104-446-0x0000027687E60000-0x0000027687E80000-memory.dmp

Filesize
128KB

Download
memory/2104-411-0x00000276866D0000-0x0000027686710000-memory.dmp

Filesize
256KB

Download
memory/2104-28-0x0000027684140000-0x0000027684370000-memory.dmp

Filesize
2.2MB

Download
memory/2104-18-0x0000027680E30000-0x0000027681AD0000-memory.dmp

Filesize
12.6MB

Download
memory/2104-431-0x0000027687D40000-0x0000027687DD0000-memory.dmp

Filesize
576KB

Download
memory/2104-38-0x0000027684A00000-0x0000027684C00000-memory.dmp

Filesize
2.0MB

Download
memory/2104-23-0x0000027682FB0000-0x0000027683F10000-memory.dmp

Filesize
15.4MB

Download
memory/5228-3057-0x000002322F650000-0x000002322F6C6000-memory.dmp

Filesize
472KB

Download
memory/5228-3033-0x000002322F460000-0x000002322F482000-memory.dmp

Filesize
136KB

Download