Overview

overview

10

Static

static

3

Prove rela...à.exe

windows7-x64

10

Prove rela...à.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

3

msimg32.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2025, 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Prove relative alla violazione dei diritti di proprietà.exe

  • Size

    6.1MB

  • MD5

    4864a55cff27f686023456a22371e790

  • SHA1

    6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

  • SHA256

    08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

  • SHA512

    4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

  • SSDEEP

    98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2252
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2816
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2752
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1936
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2932
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1340
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1376
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2732
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2996
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1144
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1740
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1608
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:532
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1596
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2184
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:848
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1972
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1588
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2360
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1672
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2156
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1720
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1528
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2540
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2472
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:884
      • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
        "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2256
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2308
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1888
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
              PID:2608
        • C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe
          "C:\Users\Admin\AppData\Local\Temp\Prove relative alla violazione dei diritti di proprietà.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\JavaUpdater943034.dll
        Filesize

        1.4MB

        MD5

        d902e3c8b97e32b76f468aa818e06836

        SHA1

        9638c61d57e100a63ac6652fe1c36927c9a53dcd

        SHA256

        d72744bf0ba8e940fbe021858e43fe37b59cdd9c129162ff1741325f23ac4174

        SHA512

        31b42dd8e2739949cfa762d06a289c973eb69089ae099e2af523a08e4128f48dc78ba5c40f7b08ec4eb8b6a2953d1ebc4171de8842bc58f32e35be37dd6ca5b2

        Download Submit

      • C:\Users\Admin\Documents\JavaUpdater943034.dll
        Filesize

        32.0MB

        MD5

        cb4e9e216d60f78b77561660b8225cbf

        SHA1

        e5934f0a0b3a59767a5177e1e6d141079d62d84b

        SHA256

        b234f0449e2e998879a11deb0937d7279d28b832348aa9f5c0e911a2dfe3847e

        SHA512

        6384f9006f7b54aad9c29547592749f061339b66de4eeb89b18f654e29fa5e53fc613a57a4e1acd649a60d6606d6414e8550fb852bacba7ae6bc6f71dfdacc25

        Download Submit

      • memory/848-81-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/848-83-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/848-80-0x0000000000C70000-0x0000000001070000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1028-57-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1028-59-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1340-45-0x0000000000C90000-0x0000000001090000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1340-47-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1880-71-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1880-69-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1880-68-0x0000000000F90000-0x0000000001390000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1936-33-0x0000000000D10000-0x0000000001110000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1936-34-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1936-36-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2036-13-0x00000000001C0000-0x00000000001CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2576-14-0x0000000000E30000-0x0000000001230000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2576-6-0x0000000000E30000-0x0000000001230000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2576-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2576-3-0x00000000001C0000-0x0000000000241000-memory.dmp

        Filesize

        516KB

        Download

      • memory/2576-4-0x00000000001C0000-0x0000000000241000-memory.dmp

        Filesize

        516KB

        Download

      • memory/2576-8-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2576-10-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2576-11-0x0000000000E30000-0x0000000001230000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2576-12-0x0000000077081000-0x0000000077182000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2576-5-0x0000000000E30000-0x0000000001230000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2576-7-0x0000000000E30000-0x0000000001230000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2616-0-0x00000000003D0000-0x00000000003FD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2616-15-0x00000000022A0000-0x00000000022F5000-memory.dmp

        Filesize

        340KB

        Download

      • memory/2816-21-0x0000000000E90000-0x0000000001290000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2816-24-0x0000000076630000-0x0000000076677000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2816-22-0x0000000077080000-0x0000000077229000-memory.dmp

        Filesize

        1.7MB

        Download