Malware Analysis Report

2024-11-30 02:21

Sample ID 241104-zawkysxckl
Target 5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe
SHA256 5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511
Tags
rhadamanthys discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511

Threat Level: Known bad

The file 5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys family

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:31

Reported

2024-11-04 20:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4716 created 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Explorer.EXE
PID 2752 created 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4716 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe
PID 60 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe
PID 60 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2752 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 2752 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 2752 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 2752 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe
PID 2752 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe

"C:\Users\Admin\AppData\Local\Temp\5aa1ff83735375676ef3d2261890a73a0bb55dc14527c36f56c485280c42d511.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2752 -ip 2752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2752 -ip 2752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 428

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 224.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
SE 192.229.221.95:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\talkprevailing.exe

MD5 abc37dfff01d3203b387fafcfd66c4e6
SHA1 1ddfa40bafbf5ef06c058d09698eef251de9830a
SHA256 2f9cc92de7f695b5b1470278419e2fb90e7279a4dc8feff2d5675598eb372256
SHA512 e491abdfe93fe7fede81d0516cfcea0694e188e8e009d79c7f830efa08cda37aab70e586e3730efd15de8ee6930c47709ad8c3a47d048f2820a6a09fa66fb046

memory/4716-5-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/4716-6-0x0000000000380000-0x0000000000D3E000-memory.dmp

memory/4716-7-0x00000000056A0000-0x00000000057BE000-memory.dmp

memory/4716-8-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4716-9-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-62-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-72-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-71-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-68-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-66-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-64-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-60-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-58-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-56-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-54-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-53-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-50-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-48-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-46-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-44-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-42-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-40-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-38-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-36-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-34-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-32-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-30-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-28-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-26-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-24-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-20-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-18-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-16-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-14-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-12-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-11-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-22-0x00000000056A0000-0x00000000057B8000-memory.dmp

memory/4716-1081-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4716-1082-0x0000000005890000-0x0000000005928000-memory.dmp

memory/4716-1083-0x0000000005930000-0x000000000597C000-memory.dmp

memory/4716-1087-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4716-1088-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4716-1089-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4716-1090-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/4716-1091-0x00000000063F0000-0x0000000006994000-memory.dmp

memory/4716-1092-0x0000000005E40000-0x0000000005E94000-memory.dmp

memory/2752-1096-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4716-1097-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/2752-1100-0x0000000003E10000-0x0000000004210000-memory.dmp

memory/2752-1104-0x0000000003E10000-0x0000000004210000-memory.dmp

memory/4908-1108-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/4908-1112-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/4908-1113-0x00000000028B0000-0x0000000002CB0000-memory.dmp

memory/2752-1114-0x0000000003E10000-0x0000000004210000-memory.dmp