Malware Analysis Report

2024-11-30 02:20

Sample ID 241116-y9m77atbme
Target LockBit (1).rar
SHA256 f2363a572a7d408e1ea2a04fd2f5a23cd7c42db67d5111bf9a7541ab9f005ec9
Tags
rhadamanthys discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2363a572a7d408e1ea2a04fd2f5a23cd7c42db67d5111bf9a7541ab9f005ec9

Threat Level: Known bad

The file LockBit (1).rar was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery stealer

Rhadamanthys

Detect rhadamanthys stealer shellcode

Rhadamanthys family

Executes dropped EXE

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 20:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 20:29

Reported

2024-11-16 20:31

Platform

win11-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit (1).rar"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Debug\decryptor.exe N/A
N/A N/A C:\Users\Admin\Desktop\builder.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Debug\decryptor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1908 wrote to memory of 3104 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 660 N/A C:\Users\Admin\Desktop\Debug\decryptor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 3152 N/A C:\Users\Admin\Desktop\builder.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit (1).rar"

C:\Users\Admin\Desktop\builder.exe

"C:\Users\Admin\Desktop\builder.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 160

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Debug\decryptor.exe

"C:\Users\Admin\Desktop\Debug\decryptor.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 660 -ip 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 532

C:\Users\Admin\Desktop\builder.exe

"C:\Users\Admin\Desktop\builder.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3404 -ip 3404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 468

Network

Files

C:\Users\Admin\AppData\Local\Temp\7zE84057DF7\Debug\decryptor.exe

MD5 2bc873b1b388bff91d12eb1d2ce9ca16
SHA1 72bf0e13509d0d10641dcd6b82be520279759a28
SHA256 89cbb69df65004a0cf5673be11e5625933ebf10683bf33e39a6d137be63649ab
SHA512 de3b17487192e8641da89b2ba88a65b5cd09e131bc588903f6ef39efab333a08d852c8259004c2516dc17ef9b349cdef4ab54ab1d49862e4f0f974973a527225

C:\Users\Admin\AppData\Local\Temp\7zE84057DF7\decryptor\decryptor.pdb

MD5 d28f6d860cc7415c725caaca414a6a32
SHA1 3823cf5c63b6d1ba15a3ca2581e83d830e63074b
SHA256 6b8ef6acb7d99764102dd29c2fc5d6305d2b0106a1247020fe5178985a5499f9
SHA512 2a29d46bfcc52681527fb2833866db04e0ee48c7bd058ca948dfa202a821ffcc544ceab286a2fdb0132c01fadb79990a88d759a1ba04cbbfa6ac4b6d3c1445d6

memory/3104-98-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3104-100-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3104-101-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3104-102-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

memory/3104-103-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/3104-105-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/3104-104-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/3104-106-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/3104-107-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3104-108-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/660-112-0x0000000000400000-0x0000000000473000-memory.dmp

memory/660-115-0x00000000023F0000-0x00000000027F0000-memory.dmp

memory/3152-118-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3152-121-0x0000000002F30000-0x0000000003330000-memory.dmp