Malware Analysis Report

2024-11-30 02:27

Sample ID 241031-wkl8gstkgq
Target 3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071
SHA256 3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071
Tags
rhadamanthys discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071

Threat Level: Known bad

The file 3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071 was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Rhadamanthys family

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 17:58

Reported

2024-10-31 18:01

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

139s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4776 created 2940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\system32\svchost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
PID 1260 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
PID 1260 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1708 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4776 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dialer.exe
PID 4776 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dialer.exe
PID 4776 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dialer.exe
PID 4776 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dialer.exe
PID 4776 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe

"C:\Users\Admin\AppData\Local\Temp\3fbeae5e48d7f3b2ce4beac3347d9aa259fd2c9c6f5485ae166e74dc5268e071.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 444

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aloneinstruction.exe

MD5 811e677418814cfb459322911300f937
SHA1 809f186624366e8311a756e36fb2fac936836406
SHA256 26325ef507bc3567275a68ce31d7934e0ff264af9829525f81995e15a79f3a9b
SHA512 f2fa8f40c3fb482ec8dbc396593ecd8abbf59482055916d5cfd3b7fa93ea38270c5700fc9af5f1b3623c6d7f24ce399e7984aa1cdac9778333103979a1278043

memory/1708-5-0x000000007467E000-0x000000007467F000-memory.dmp

memory/1708-6-0x0000000000EC0000-0x00000000014AE000-memory.dmp

memory/1708-7-0x0000000005AB0000-0x0000000006054000-memory.dmp

memory/1708-8-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/1708-9-0x0000000005640000-0x00000000056DC000-memory.dmp

memory/1708-10-0x0000000006420000-0x0000000006464000-memory.dmp

memory/1708-11-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1708-12-0x00000000065F0000-0x00000000065FA000-memory.dmp

memory/1708-13-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1708-14-0x000000007467E000-0x000000007467F000-memory.dmp

memory/1708-15-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1708-16-0x0000000007230000-0x000000000724A000-memory.dmp

memory/1708-17-0x0000000007540000-0x0000000007546000-memory.dmp

memory/4776-18-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4776-20-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1708-21-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/4776-22-0x0000000003880000-0x0000000003C80000-memory.dmp

memory/4776-23-0x0000000003880000-0x0000000003C80000-memory.dmp

memory/4776-24-0x0000000003880000-0x0000000003C80000-memory.dmp

memory/4776-28-0x0000000076030000-0x0000000076245000-memory.dmp

memory/4776-25-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/4776-27-0x0000000003880000-0x0000000003C80000-memory.dmp

memory/3096-29-0x0000000000F50000-0x0000000000F59000-memory.dmp

memory/3096-32-0x0000000002CB0000-0x00000000030B0000-memory.dmp

memory/3096-33-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/3096-36-0x0000000076030000-0x0000000076245000-memory.dmp

memory/3096-35-0x0000000002CB0000-0x00000000030B0000-memory.dmp

memory/3096-37-0x0000000002CB0000-0x00000000030B0000-memory.dmp

memory/4776-38-0x0000000003880000-0x0000000003C80000-memory.dmp