rhadamanthys | 9fe42ef288a3f08d68bbfc8bf0890fed79eaa1708c20577534e7e9152da3762a

Analysis

max time kernel
120s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTube Partner Program Policy Update – Feb 2025.msi
Size

4.1MB
MD5

b0d0a69199f344aded6146246a6e58c9
SHA1

e11795625663a28573487f2b72ba091bac41b624
SHA256

9fe42ef288a3f08d68bbfc8bf0890fed79eaa1708c20577534e7e9152da3762a
SHA512

55a048cfd34bab839011df6eeac3f91b172c114978a7b6f089d9ed490736a5ceb570524a738b6656e0cc90c608776120b1e1f4d7ab85c1f8c3e4190f11cc35c4
SSDEEP

49152:hNK3fuMxhxdsIjE0xHQKu4A3Gi5Dh3JGQIN1KgZiQaH0H721bxNKWkkqQWWIX2OD:CP3hxdssvwKu4kVAQIQvNpkNmOh

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral2/memory/5380-61-0x0000000000F00000-0x0000000001022000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5380 created 1076	5380	MSBuild.exe	50

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5848 set thread context of 3676	5848	AppCheckS.exe	92
PID 3676 set thread context of 5380	3676	cmd.exe	94

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ADA6951C-FDE8-4D6F-AEE6-1105374D8CF4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80B9.tmp	msiexec.exe
File created	C:\Windows\Installer\e57802e.msi	msiexec.exe
File created	C:\Windows\Installer\e57802c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57802c.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	AppCheckS.exe
5848	AppCheckS.exe

Loads dropped DLL 6 IoCs

pid	Process
2860	AppCheckS.exe
2860	AppCheckS.exe
2860	AppCheckS.exe
5848	AppCheckS.exe
5848	AppCheckS.exe
5848	AppCheckS.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5252	msiexec.exe
5252	msiexec.exe
2860	AppCheckS.exe
5848	AppCheckS.exe
5848	AppCheckS.exe
3676	cmd.exe
3676	cmd.exe
5380	MSBuild.exe
5380	MSBuild.exe
5380	MSBuild.exe
5380	MSBuild.exe
212	svchost.exe
212	svchost.exe
212	svchost.exe
212	svchost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5848	AppCheckS.exe
3676	cmd.exe
3676	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	776	msiexec.exe
Token: SeSecurityPrivilege	5252	msiexec.exe
Token: SeCreateTokenPrivilege	776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	776	msiexec.exe
Token: SeLockMemoryPrivilege	776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	776	msiexec.exe
Token: SeMachineAccountPrivilege	776	msiexec.exe
Token: SeTcbPrivilege	776	msiexec.exe
Token: SeSecurityPrivilege	776	msiexec.exe
Token: SeTakeOwnershipPrivilege	776	msiexec.exe
Token: SeLoadDriverPrivilege	776	msiexec.exe
Token: SeSystemProfilePrivilege	776	msiexec.exe
Token: SeSystemtimePrivilege	776	msiexec.exe
Token: SeProfSingleProcessPrivilege	776	msiexec.exe
Token: SeIncBasePriorityPrivilege	776	msiexec.exe
Token: SeCreatePagefilePrivilege	776	msiexec.exe
Token: SeCreatePermanentPrivilege	776	msiexec.exe
Token: SeBackupPrivilege	776	msiexec.exe
Token: SeRestorePrivilege	776	msiexec.exe
Token: SeShutdownPrivilege	776	msiexec.exe
Token: SeDebugPrivilege	776	msiexec.exe
Token: SeAuditPrivilege	776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	776	msiexec.exe
Token: SeChangeNotifyPrivilege	776	msiexec.exe
Token: SeRemoteShutdownPrivilege	776	msiexec.exe
Token: SeUndockPrivilege	776	msiexec.exe
Token: SeSyncAgentPrivilege	776	msiexec.exe
Token: SeEnableDelegationPrivilege	776	msiexec.exe
Token: SeManageVolumePrivilege	776	msiexec.exe
Token: SeImpersonatePrivilege	776	msiexec.exe
Token: SeCreateGlobalPrivilege	776	msiexec.exe
Token: SeBackupPrivilege	6096	vssvc.exe
Token: SeRestorePrivilege	6096	vssvc.exe
Token: SeAuditPrivilege	6096	vssvc.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
776	msiexec.exe
776	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5252 wrote to memory of 2860	5252	msiexec.exe	90
PID 5252 wrote to memory of 2860	5252	msiexec.exe	90
PID 2860 wrote to memory of 5848	2860	AppCheckS.exe	91
PID 2860 wrote to memory of 5848	2860	AppCheckS.exe	91
PID 5848 wrote to memory of 3676	5848	AppCheckS.exe	92
PID 5848 wrote to memory of 3676	5848	AppCheckS.exe	92
PID 5848 wrote to memory of 3676	5848	AppCheckS.exe	92
PID 5848 wrote to memory of 3676	5848	AppCheckS.exe	92
PID 3676 wrote to memory of 5380	3676	cmd.exe	94
PID 3676 wrote to memory of 5380	3676	cmd.exe	94
PID 3676 wrote to memory of 5380	3676	cmd.exe	94
PID 3676 wrote to memory of 5380	3676	cmd.exe	94
PID 3676 wrote to memory of 5380	3676	cmd.exe	94
PID 5380 wrote to memory of 212	5380	MSBuild.exe	95
PID 5380 wrote to memory of 212	5380	MSBuild.exe	95
PID 5380 wrote to memory of 212	5380	MSBuild.exe	95
PID 5380 wrote to memory of 212	5380	MSBuild.exe	95
PID 5380 wrote to memory of 212	5380	MSBuild.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1076
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:212

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\YouTube Partner Program Policy Update – Feb 2025.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5252
- C:\Users\Admin\AppData\Local\Cuttlefish\AppCheckS.exe
  "C:\Users\Admin\AppData\Local\Cuttlefish\AppCheckS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Roaming\Fmlaunch\AppCheckS.exe
    C:\Users\Admin\AppData\Roaming\Fmlaunch\AppCheckS.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57802d.rbs

Filesize
9KB

MD5
682ad36d7211658f3c0febcae83534e2

SHA1
ffd7328ab76f224bb72a2b00496923c3d25a0b72

SHA256
8f504c8c25f0026b774b362375c4364abbc76536591ee141ef53fa8de569f576

SHA512
2a49bbe87410c95cf2000f21706c1caac9e5e9ea48cd9645e06bfe064e366553173b67d47baae70a4a1f626eb44d341b4e51d319ae4ac8fc976845dc016bdb66

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\AppCheckS.exe

Filesize
1.7MB

MD5
18247442e0f9378e739f650fd51acb4e

SHA1
41c3145d0a63f2cb87ae9f4f6107855ddaa72886

SHA256
a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e

SHA512
e4669a7d72fc37b39cd161c6243c2f1f9840e36598a25c1125540f72d6ef4aeddc2ef9b89804137f2c0edba9fcd68e89ba74f9ebfe1bec2aec14e0f7c2e42bc3

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\MSVCP140.dll

Filesize
618KB

MD5
9ff712c25312821b8aec84c4f8782a34

SHA1
1a7a250d92a59c3af72a9573cffec2fcfa525f33

SHA256
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

SHA512
5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\VCRUNTIME140.dll

Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\crump.jpg

Filesize
45KB

MD5
d4ab0589417a189428c501b9d7806d11

SHA1
e5ddbe97e9f2b3169c7536c83d656de73dd6bd8f

SHA256
9e9a3d7b58c7e848fd230b1c9ca46f428aad950b167ee92830596954c90d52b7

SHA512
9b01210f43c1edbae64ab7672f734838a21d737e41b985cf0c4194c15cb6df9aa8a771fcb28eda140812f0b39cf8af8ce368d7cc10e7bf94c4ed4e7b180f2b3c

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\logomachy.psd

Filesize
1.6MB

MD5
daaa83807fcddf85cafa42d5b45a5c5f

SHA1
84e95f87436f91fdfa7f0e774c28750757c93a89

SHA256
7a342f324630b45a5e00857a186c3c9c662cb6d453eac08686d599eaa8e96c09

SHA512
4f11f40e401d6ff4da52e249e9af128b6da7c0908839663300950d544210833479c97c5b36bc025542d1b83929e98feda460ac2b3fe355ed14d9869ac4c7f481

Download Submit
C:\Users\Admin\AppData\Local\Cuttlefish\mfc140u.dll

Filesize
5.8MB

MD5
3f5b940545718cce8815e02be8e68619

SHA1
9d41743eb1d700261a908f8bcee532df94d1b102

SHA256
f2f9406a1c3cadf284574b3fa02e9dd1e9fa1b9415871cf0aa23e65aa79ed49b

SHA512
5b9a8ffcbd868266433787436c6fd2867ddd908366bfb4a2cfaf54b032d7d0bdfc0f607eb04a229d90a10ca757cdd29f5d19003e5f4af333994fc6a736bf0bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\52490eb

Filesize
1.8MB

MD5
3a9456789d78eae63d40a742c53b1129

SHA1
0bfb0d8f0c90f46506985183980baf1c9ccdd02b

SHA256
a80e5076ee9d5f1a8244ea868699078aaf82b671d376618b61f32cf3131166d6

SHA512
fd25919b5837a29812966d149548e383523406684ecbcfca4839e41c646b4804f73fef917315ea58dfe2c2f0e303be3be5bca650d14d14a86ac62c8aa7cdfd08

Download Submit
C:\Windows\Installer\e57802c.msi

Filesize
4.1MB

MD5
b0d0a69199f344aded6146246a6e58c9

SHA1
e11795625663a28573487f2b72ba091bac41b624

SHA256
9fe42ef288a3f08d68bbfc8bf0890fed79eaa1708c20577534e7e9152da3762a

SHA512
55a048cfd34bab839011df6eeac3f91b172c114978a7b6f089d9ed490736a5ceb570524a738b6656e0cc90c608776120b1e1f4d7ab85c1f8c3e4190f11cc35c4

Download Submit
memory/212-69-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/212-73-0x00007FFE36390000-0x00007FFE36585000-memory.dmp

Filesize
2.0MB

Download
memory/212-75-0x00000000771C0000-0x00000000773D5000-memory.dmp

Filesize
2.1MB

Download
memory/212-72-0x0000000000CD0000-0x00000000010D0000-memory.dmp

Filesize
4.0MB

Download
memory/2860-33-0x00007FFE171F0000-0x00007FFE17362000-memory.dmp

Filesize
1.4MB

Download
memory/3676-55-0x00007FFE36390000-0x00007FFE36585000-memory.dmp

Filesize
2.0MB

Download
memory/3676-56-0x0000000075990000-0x0000000075B0B000-memory.dmp

Filesize
1.5MB

Download
memory/5380-61-0x0000000000F00000-0x0000000001022000-memory.dmp

Filesize
1.1MB

Download
memory/5380-62-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/5380-63-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5380-64-0x0000000005780000-0x0000000005B80000-memory.dmp

Filesize
4.0MB

Download
memory/5380-65-0x0000000005780000-0x0000000005B80000-memory.dmp

Filesize
4.0MB

Download
memory/5380-66-0x00007FFE36390000-0x00007FFE36585000-memory.dmp

Filesize
2.0MB

Download
memory/5380-58-0x0000000074730000-0x0000000075984000-memory.dmp

Filesize
18.3MB

Download
memory/5380-68-0x00000000771C0000-0x00000000773D5000-memory.dmp

Filesize
2.1MB

Download
memory/5848-52-0x00007FFE171F0000-0x00007FFE17362000-memory.dmp

Filesize
1.4MB

Download
memory/5848-51-0x00007FFE171F0000-0x00007FFE17362000-memory.dmp

Filesize
1.4MB

Download