Overview

overview

10

Static

static

5

0f5bb32071...c2.exe

windows7-x64

10

0f5bb32071...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f5bb32071eaf08c67724f035ccd16c7a7d0eff091813698695528f77441f8c2.exe

  • Size

    155.7MB

  • MD5

    1a14c2f212e54dcce5c9cdbe82ea2ac9

  • SHA1

    aa4347a2f7c415f4c6dab663a1645c59513912db

  • SHA256

    0f5bb32071eaf08c67724f035ccd16c7a7d0eff091813698695528f77441f8c2

  • SHA512

    6b4950cecfa7993ce22b87d15cc8d9e8563319c4c3ec9dc8b6488c7d8d78aa4247febd7a468fbe9e4d7716aca705a29c101b7ed4b36e8d6039e5497994991fd6

  • SSDEEP

    3145728:Xm/kfnZZRUWXNShZNxlb3oeUFRGp/K3GgUCoQKAQ6h398AWXNOQ14BDndvdXa:VnTLXwXNf4eUSJK39U8KAQ6hN8AW9H1x

Score
10/10
rhadamanthysdiscoverystealerupx

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 25 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2648
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3744
    • C:\Users\Admin\AppData\Local\Temp\0f5bb32071eaf08c67724f035ccd16c7a7d0eff091813698695528f77441f8c2.exe
      "C:\Users\Admin\AppData\Local\Temp\0f5bb32071eaf08c67724f035ccd16c7a7d0eff091813698695528f77441f8c2.exe"
      1⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\sougou\sogou.exe
        "C:\Program Files (x86)\sougou\sogou.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5016
      • C:\Program Files (x86)\sougou\Soanquan.exe
        "C:\Program Files (x86)\sougou\Soanquan.exe" "C:\Program Files (x86)\sougou\config.ini"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Program Files (x86)\sougou\Soanquan.exe
        "C:\Program Files (x86)\sougou\Soanquan.exe" "C:\Program Files (x86)\sougou\so_coflog.ini"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2504
    • C:\Program Files (x86)\sougou\Soanquan.exe
      "C:\Program Files (x86)\sougou\Soanquan.exe" "C:\Program Files (x86)\sougou\config.ini"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\sougou\Soanquan.exe
      Filesize

      14KB

      MD5

      426dfd5ece3b41970773031637cd5539

      SHA1

      d0fe14f8dab89aaddac8b1c89b1cee48396ec636

      SHA256

      737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8

      SHA512

      5c66ea3360115d6dcc71f6d624a886f3c992c5d30338880b0ba48db77dd7fa744b60a3d65fed63427ebb3a8bcf9b204e9ba1521d8c9f0e804ce0db76befa8935

      Download Submit

    • C:\Program Files (x86)\sougou\alien\core.dll
      Filesize

      25KB

      MD5

      24b6950afd8663a46246044e6b09add8

      SHA1

      6444dab57d93ce987c22da66b3706d5d7fc226da

      SHA256

      9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071

      SHA512

      e1967e7e8c3d64b61451254da281415edf9946a6c8a46006f39ae091609c65666c376934b1bdcbd2a7f73adea7aa68e557694f804bf3bc3ce7854fa527e91740

      Download Submit

    • C:\Program Files (x86)\sougou\config.ini
      Filesize

      910KB

      MD5

      93c7ca328e30b4142f1d7202f864eba7

      SHA1

      53dac1968204812a95dedea4b923ed3d1e18b5c1

      SHA256

      01a668544e0bf9ff0ee12f4c090738a8b460c0d183fb4da0169b93d5c02efa7b

      SHA512

      9c68adcb1736d4c4606dbe512df78cca08ba262024d104edb17ceba7014d21eb26747942f4b92c6b87bec537d781c0c00031b581010b67d5f21a4f34b7581441

      Download Submit

    • C:\Program Files (x86)\sougou\lua5.1.dll
      Filesize

      164KB

      MD5

      24a0d2ef5b931a2a13341a2503b1de80

      SHA1

      6201347d1ded92d365126a1225768e11c33ee818

      SHA256

      fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f

      SHA512

      5e06f88bb3920cef40a4941efb3b4d3012edf868cc3042f9dbc1989c76b410b4e2da12c20ae2fbcffe5525b43aeca8875e51167d0ce041864d546fdb2e1fecd2

      Download Submit

    • C:\Program Files (x86)\sougou\so_coflog.ini
      Filesize

      636KB

      MD5

      eeadda0c0f0a3d77aa19cb86ac98e409

      SHA1

      121ac4e1803cf702a6cd203d6e8716a00f8bfbf0

      SHA256

      ba034a63c036c13bdcac8c147353c377ea48b41361a570bbfd553c3e4e0557aa

      SHA512

      20741145f3997fccb65676ca9e08d4fc47fcf7af72a7c00fd2a967d3f93c1c090f4abf3a2d2a0f074f8a45b1d92823ded9649afa7c415f330514083ef04e8ebb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Soanquan.exe.log
      Filesize

      521B

      MD5

      82fd1c0a56b8af6ad97d973328281509

      SHA1

      5b4d01cb01d2e5e62dd3026de96dcf37f5713b89

      SHA256

      a57a4a3a9e484a52872a0c105ac939bf91e97033f4e40c21e5fd03f0bf8bc548

      SHA512

      3ced1456093d84e9617e630d06128da646b41720e873822c37cb40b4698919c4c543250ab9f191d73d6aac1109206655faa179dd781a578e1f778fe92b9a4b08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshD7A4.tmp\INetC.dll
      Filesize

      25KB

      MD5

      40d7eca32b2f4d29db98715dd45bfac5

      SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

      SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

      SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshD7A4.tmp\nsArray.dll
      Filesize

      12KB

      MD5

      da4bc09439ed21faf7620a53433aac92

      SHA1

      94e3347aebe16cb88b9f29f00134d9e0fb67e508

      SHA256

      216d68d3f0b37bb2203b3a438a84a089e8c388608f46377ad7e7d6a2709cf9b0

      SHA512

      920294456e8fee0c4137e4b4ba1389f09ade297d6ed49d78a9593d129dbb5eb048da2cbff7ac29687999991d5f38657cb31af73e2ccf6b8b9ce29480d4d81ec6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\HWSignature.dll
      Filesize

      138KB

      MD5

      154aea6ca8875fe8023f5f0554adbe60

      SHA1

      54a6c770e4ab3aef95782f1bc647ab664163d42f

      SHA256

      e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339

      SHA512

      93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\ImageMagik.dll
      Filesize

      5.9MB

      MD5

      745007cd039d16bbbe05e308c223c8b0

      SHA1

      f3fc435a325118cbb4af4219bc41755c245afe54

      SHA256

      b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332

      SHA512

      40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\InstallOptions.dll
      Filesize

      15KB

      MD5

      34d24e6ecdfb6859096816436c5875da

      SHA1

      a4504b5eccc48ce867623dd1d081a760ab70a12f

      SHA256

      734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

      SHA512

      cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\SetupLib.dll
      Filesize

      6.0MB

      MD5

      b713d9c939fe455aea4be2eb94215730

      SHA1

      c51af6b0be8452f77056d7a4a8554c8cb21c6ddb

      SHA256

      7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af

      SHA512

      1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\SetupLibNew.dll
      Filesize

      3.9MB

      MD5

      72fb079823f0e6c80caff804cf626ca9

      SHA1

      464ae7293affcadd0aafec8a52635bcc92047e55

      SHA256

      23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e

      SHA512

      431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\System.dll
      Filesize

      11KB

      MD5

      c51fc979c1c3e17bece7bd194aeb6ea2

      SHA1

      9a5d000d6393f2980062b4cc6e8f543493b1be8f

      SHA256

      93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

      SHA512

      716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\ioSpecial.ini
      Filesize

      958B

      MD5

      254f1d640d048da862bfae63fc161314

      SHA1

      fbbf4ba248a09caa8c7758410fb7a5043be0fe83

      SHA256

      66d7b4061f2ca10f11f6ff49efa151b6976557c03b5558b518e167b9e5fceaca

      SHA512

      0a74ca1334d6f0912487ddcfd2543e0923259c7257081d3751f0122f2cadb79922fde30b1ebe83f0dba92acf8c2aa496a80cc608f327d994f012d37865bb262a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\ioSpecial.ini
      Filesize

      1010B

      MD5

      718624ff0f0d3cf2442dcf8ce14011b4

      SHA1

      a0a46f861bd81c24bb34e0fef990d56bce0f9876

      SHA256

      4f617a8fd8c8247936a0b13dcfc282f41fa6e78df0be5708f352ed238e5b0550

      SHA512

      67c102fd45571972fb4a809e6a71fe22d28fb263e20096a97356b445ca7e74721739b789655e87a8347d8fce84dc77ab01a40947e8e844a0bac2a40d405a9b03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsiF416.tmp\validate.ini
      Filesize

      87B

      MD5

      59da6b50ff42da1a3230fbca1bd90e11

      SHA1

      6870be998befa4bf02e8824e0a101303fe76ef4f

      SHA256

      5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a

      SHA512

      e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

      Download Submit

    • memory/2504-67-0x00000000005A0000-0x00000000005C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2504-70-0x00000000021C0000-0x00000000025C0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2504-65-0x00000000021C0000-0x00000000025C0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2504-69-0x00000000021C0000-0x00000000025C0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2504-68-0x00000000005D0000-0x00000000005D9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2504-75-0x00000000021C0000-0x00000000025C0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2504-72-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2504-80-0x00000000021C0000-0x00000000025C0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2504-76-0x00000000773E0000-0x00000000775F5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3744-77-0x00000000003E0000-0x00000000003E9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3744-84-0x00000000773E0000-0x00000000775F5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3744-81-0x0000000002360000-0x0000000002760000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3744-82-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4780-78-0x0000000004A60000-0x0000000004A82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4780-73-0x00000000049D0000-0x0000000004A38000-memory.dmp

      Filesize

      416KB

      Download

    • memory/4780-85-0x0000000005060000-0x0000000005067000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4780-66-0x0000000000590000-0x00000000005C9000-memory.dmp

      Filesize

      228KB

      Download

    • memory/5016-131-0x00000000056B0000-0x00000000056D5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/5016-120-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-111-0x0000000005820000-0x0000000005C16000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5016-104-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-37-0x0000000000400000-0x00000000006DD000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/5016-230-0x0000000000400000-0x00000000006DD000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/5032-233-0x00000000059F0000-0x0000000005A8C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5032-234-0x0000000005A90000-0x0000000005AF6000-memory.dmp

      Filesize

      408KB

      Download