Overview

overview

10

Static

static

3

Prove rela...à.exe

windows7-x64

10

Prove rela...à.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

3

msimg32.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2025 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Prove relative alla violazione dei diritti di proprietà.exe

  • Size

    6.1MB

  • MD5

    4864a55cff27f686023456a22371e790

  • SHA1

    6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

  • SHA256

    08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

  • SHA512

    4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

  • SSDEEP

    98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1840
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2852
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2624
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1852
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2036
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:772
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1488
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:992
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1684
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1248
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2900
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1736
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:832
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2380
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2588
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1864
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1448
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1664
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2292
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3016
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1896
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:612
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1460
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:760
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:300
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1628
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1180
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2156
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2896
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\JavaUpdater943034.dll
      Filesize

      32.0MB

      MD5

      cb4e9e216d60f78b77561660b8225cbf

      SHA1

      e5934f0a0b3a59767a5177e1e6d141079d62d84b

      SHA256

      b234f0449e2e998879a11deb0937d7279d28b832348aa9f5c0e911a2dfe3847e

      SHA512

      6384f9006f7b54aad9c29547592749f061339b66de4eeb89b18f654e29fa5e53fc613a57a4e1acd649a60d6606d6414e8550fb852bacba7ae6bc6f71dfdacc25

      Download Submit

    • memory/1252-81-0x0000000000E50000-0x0000000001250000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1252-84-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1252-82-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1684-60-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1684-58-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1840-14-0x0000000000F90000-0x0000000001390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1840-6-0x0000000000F90000-0x0000000001390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1840-12-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1840-10-0x0000000076E81000-0x0000000076F82000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1840-9-0x0000000000F90000-0x0000000001390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1840-8-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1840-7-0x0000000000F90000-0x0000000001390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1840-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-5-0x0000000000F90000-0x0000000001390000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1840-3-0x00000000001C0000-0x0000000000241000-memory.dmp

      Filesize

      516KB

      Download

    • memory/1840-4-0x00000000001C0000-0x0000000000241000-memory.dmp

      Filesize

      516KB

      Download

    • memory/2036-45-0x0000000000EF0000-0x00000000012F0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2036-48-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2036-46-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2268-0-0x0000000000250000-0x000000000027D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2268-15-0x0000000002450000-0x00000000024A5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2556-70-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2556-72-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2716-13-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2864-22-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2864-24-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2864-21-0x0000000000DD0000-0x00000000011D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3032-34-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3032-36-0x0000000076880000-0x00000000768C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/3032-33-0x0000000000E30000-0x0000000001230000-memory.dmp

      Filesize

      4.0MB

      Download