Overview

overview

10

Static

static

3

ed02ac429d...26.exe

windows7-x64

8

ed02ac429d...26.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

DocuAppCenter.exe

windows10-2004-x64

10

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

3

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...er.exe

windows7-x64

7

$R0/Uninst...er.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DocuAppCenter.exe

  • Size

    180.0MB

  • MD5

    7c8a196ccbbdd56338960528e97c45e4

  • SHA1

    0cbb276b8a8bec1c6143143e4928787f97492eb8

  • SHA256

    0db2e38188e1032e149f3765a5afe815ff589a86de5563e2c171bc60fd531e21

  • SHA512

    cee8dfa5a9b0dfddbb1f429723bab8fd8cd9ce0e9e58ccf4d7e1077265aeb9b8941d22135eafaf951b21344692806aaf22077370593d93fd970a1f26f4f667d3

  • SSDEEP

    1572864:Cwl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:WF4oD0QdG09P

Score
10/10
rhadamanthysdiscoveryransomwarestealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2552
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1028
    • C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe
      "C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe
        "C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\DocuAppCenter" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1756,i,10513368513173435155,16614304210336362562,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1744 /prefetch:2
        2⤵
          PID:2756
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\ChromiumDriver\Bginfo.exe" /taskbar"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4068
          • C:\Users\Admin\AppData\Local\Temp\ChromiumDriver\Bginfo.exe
            "C:\Users\Admin\AppData\Local\Temp\ChromiumDriver\Bginfo.exe" /taskbar
            3⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Loads dropped DLL
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Modifies Control Panel
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3968
        • C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe
          "C:\Users\Admin\AppData\Local\Temp\DocuAppCenter.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\DocuAppCenter" --field-trial-handle=1960,i,10513368513173435155,16614304210336362562,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:3
          2⤵
            PID:5092

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ChromiumDriver\VERSION.dll
          Filesize

          179KB

          MD5

          f8e8df746881bb6c15c61fee344b12ff

          SHA1

          6f5d6bbea6b3ef8f931fc18b51d0fdffa6367430

          SHA256

          4ec7e1ee6c2080e341c2a94d90af71d17d1f8f38bab8fc556219d11a79fabf85

          SHA512

          dc231aacd9e754192ca160823b465c9cb9ea3c9bbe35cf485428c2266c8112a292d05db7942d1ced210c072d71036a42777533359e7f34881bf0038940bfe309

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ChromiumDriver\encrypted_shellcode.bin
          Filesize

          158KB

          MD5

          9827ae88a9588b26de69046117d21c81

          SHA1

          c591b24672b8509dbdc087fc245a1f7fea3b1d9b

          SHA256

          3560f325b7a2c0918910bddd6462adef786270959e765069fc6dc3320f3180a6

          SHA512

          66c1f90a4a9dd2b31f9ee3e1049620bcec5bfc644546d4e18b651bc79b45e58a73e82d676dcb34819e59735b3d92163e80b9b1311285f6f452f97020439497c6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c56d3e49-79e8-4355-ad8f-9e902ed7a5f0.tmp.exe
          Filesize

          2.1MB

          MD5

          3aef228fb7ee187160482084d36c9726

          SHA1

          8b76990c5061890c94f81f504c5782912a58d8a6

          SHA256

          c885df88693496d5c28ad16a1ecde259e191f54ad76428857742af843b846c53

          SHA512

          e659a7cf12c6b41879e4ce987e4cd1cefce2ffc74e06817667fa833764f36f25cc5f8374dbc844b68b787acac011c7b8c8f2b74563bf8a96f623ebb110a593da

          Download Submit

        • memory/1028-118-0x00000000006A0000-0x00000000006A9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1028-120-0x0000000002340000-0x0000000002740000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1028-123-0x00000000773F0000-0x0000000077605000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1028-121-0x00007FFFCA430000-0x00007FFFCA625000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3968-112-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3968-113-0x00000000011F0000-0x00000000015F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3968-114-0x00000000011F0000-0x00000000015F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3968-115-0x00007FFFCA430000-0x00007FFFCA625000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3968-117-0x00000000773F0000-0x0000000077605000-memory.dmp

          Filesize

          2.1MB

          Download