Overview

overview

10

Static

static

3

Documento ...ht.exe

windows7-x64

10

Documento ...ht.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

3

msimg32.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2025 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documento per confermare la violazione del copyright.exe

  • Size

    6.1MB

  • MD5

    4864a55cff27f686023456a22371e790

  • SHA1

    6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

  • SHA256

    08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

  • SHA512

    4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

  • SSDEEP

    98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

Score
10/10
rhadamanthysdiscoverypersistencestealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2872
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2856
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:864
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2652
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1704
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2332
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1668
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1020
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2076
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1440
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2004
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1644
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2756
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2444
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2512
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2224
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2496
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1916
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1128
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1732
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3008
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1604
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:552
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1952
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1540
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1708
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1876
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2064
        • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
          "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:836
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2344
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\JavaUpdater943034.dll",EntryPoint /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2172
      • C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe
        "C:\Users\Admin\AppData\Local\Temp\Documento per confermare la violazione del copyright.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1660-58-0x0000000000C30000-0x0000000001030000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1660-59-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1660-61-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2304-14-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2312-13-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2312-5-0x00000000001C0000-0x0000000000241000-memory.dmp

      Filesize

      516KB

      Download

    • memory/2312-7-0x0000000000CB0000-0x00000000010B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2312-11-0x0000000077191000-0x0000000077292000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2312-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2312-10-0x0000000000CB0000-0x00000000010B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2312-9-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2312-15-0x0000000000CB0000-0x00000000010B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2312-6-0x0000000000CB0000-0x00000000010B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2312-4-0x00000000001C0000-0x0000000000241000-memory.dmp

      Filesize

      516KB

      Download

    • memory/2312-8-0x0000000000CB0000-0x00000000010B0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2332-47-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2332-49-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2332-46-0x0000000000DD0000-0x00000000011D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2376-16-0x0000000002420000-0x0000000002475000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2376-1-0x0000000000250000-0x000000000027D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2496-82-0x0000000000F70000-0x0000000001370000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2496-83-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2496-85-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2652-34-0x0000000000C90000-0x0000000001090000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2652-37-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2652-35-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2756-70-0x0000000000D10000-0x0000000001110000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2756-73-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2756-71-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2856-23-0x0000000077190000-0x0000000077339000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2856-25-0x0000000075D90000-0x0000000075DD7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2856-22-0x0000000000D30000-0x0000000001130000-memory.dmp

      Filesize

      4.0MB

      Download