Overview

overview

10

Static

static

3

3fbeae5e48...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe

  • Size

    5.8MB

  • MD5

    4a922d6992bf344a9c7644152f2197d6

  • SHA1

    8c1b209d2e42e94932de731e4f537065582b2fff

  • SHA256

    3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071

  • SHA512

    f9bdf54587dc1ed1a19bd8183011ec6256bacd10f05cd8aff69835d687ad2584cf8e1bce48ab90ee44cb26164f84b45411dc3f925d9a8b701b61a69ba140d0fd

  • SSDEEP

    98304:ZaXtcsYpSvHtspnAGNkg7O4MrThvpXO0xWs80ADgPmGzG5zEuACQZ+uCJ1:gjf2pnAGN17O4MZlnxVmgmG65zEfz+uU

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://107.189.15.169:3194/984a658d0555c/2djicg5k.g6h88

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2940
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3096
    • C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe
      "C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe"
      1⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4776
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 448
            4⤵
            • Program crash
            PID:464
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 444
            4⤵
            • Program crash
            PID:3292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776
      1⤵
        PID:4024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4776 -ip 4776
        1⤵
          PID:1568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
          Filesize

          5.9MB

          MD5

          811e677418814cfb459322911300f937

          SHA1

          809f186624366e8311a756e36fb2fac936836406

          SHA256

          26325ef507bc3567275a68ce31d7934e0ff264af9829525f81995e15a79f3a9b

          SHA512

          f2fa8f40c3fb482ec8dbc396593ecd8abbf59482055916d5cfd3b7fa93ea38270c5700fc9af5f1b3623c6d7f24ce399e7984aa1cdac9778333103979a1278043

          Download Submit

        • memory/1708-14-0x000000007467E000-0x000000007467F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1708-5-0x000000007467E000-0x000000007467F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1708-7-0x0000000005AB0000-0x0000000006054000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1708-8-0x00000000055A0000-0x0000000005632000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1708-9-0x0000000005640000-0x00000000056DC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1708-10-0x0000000006420000-0x0000000006464000-memory.dmp

          Filesize

          272KB

          Download

        • memory/1708-11-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1708-15-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1708-13-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1708-21-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1708-12-0x00000000065F0000-0x00000000065FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1708-16-0x0000000007230000-0x000000000724A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1708-17-0x0000000007540000-0x0000000007546000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1708-6-0x0000000000EC0000-0x00000000014AE000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/3096-37-0x0000000002CB0000-0x00000000030B0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3096-36-0x0000000076030000-0x0000000076245000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3096-35-0x0000000002CB0000-0x00000000030B0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3096-29-0x0000000000F50000-0x0000000000F59000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3096-33-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3096-32-0x0000000002CB0000-0x00000000030B0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4776-18-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/4776-27-0x0000000003880000-0x0000000003C80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4776-25-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4776-28-0x0000000076030000-0x0000000076245000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4776-24-0x0000000003880000-0x0000000003C80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4776-23-0x0000000003880000-0x0000000003C80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4776-22-0x0000000003880000-0x0000000003C80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4776-20-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/4776-38-0x0000000003880000-0x0000000003C80000-memory.dmp

          Filesize

          4.0MB

          Download