Overview

overview

10

Static

static

1

YouTubePar...25.msi

windows7-x64

10

YouTubePar...25.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2025 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YouTubePartnerProgramPolicyUpdateFebruary2025.msi

  • Size

    4.1MB

  • MD5

    a11fed7d63b37dcaeb5877df4a978f6d

  • SHA1

    2dcb800231cb89fa37aeb092efdfd9cfda07bfa9

  • SHA256

    dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31

  • SHA512

    ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c

  • SSDEEP

    49152:vNK3fuMxhxdsIjCohpCWAE0MGnqz2jsnCGQNxTKCqX88ctFZGNf32obHmn5TCp6l:4P3hxdss17C6Eqz2jUiUdGobGnGJaQJ

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2720
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3360
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YouTubePartnerProgramPolicyUpdateFebruary2025.msi
      1⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1600
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
          PID:3532
        • C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe
          "C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exe
            C:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              4⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2212
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                5⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3232
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:2964

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57b0c3.rbs
        Filesize

        9KB

        MD5

        9e70017af66fa3549b0bd5a716024252

        SHA1

        fc6348c34d78ed80bf34eacae798a70f56ba4fd0

        SHA256

        964d491c9938a98e8a93d14b6bfe343ca265cf8e6ba47eb95b802800de4852f4

        SHA512

        3b71a3f0d4748a797aafbeb39f87d01cf9a38bf37b7782e0a6e99080e368abb0de58a7d6cea549096886afab9af16a26c2db0c6968f45d0a5c5bfc25ceb86d70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4bae385d
        Filesize

        1.8MB

        MD5

        5d4e1cd95ee123291d66743245ce8255

        SHA1

        65f96ba5c51c4697b61f0c6d3b84b1b1f68dfb2b

        SHA256

        d1791b396c26ff3236c63d7916b7185d3209e3ce37c808a5fe2b3a04d363ac04

        SHA512

        6404191c97659b09204c97dfa7025ad85d1cba048fa8a29841b3f58bb04e1f7b7ca9acd565bf3e1334db5a6f4447ad7ed2ac55dbd7e628a7b2b7586070c68498

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe
        Filesize

        1.7MB

        MD5

        18247442e0f9378e739f650fd51acb4e

        SHA1

        41c3145d0a63f2cb87ae9f4f6107855ddaa72886

        SHA256

        a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e

        SHA512

        e4669a7d72fc37b39cd161c6243c2f1f9840e36598a25c1125540f72d6ef4aeddc2ef9b89804137f2c0edba9fcd68e89ba74f9ebfe1bec2aec14e0f7c2e42bc3

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\crump.jpg
        Filesize

        45KB

        MD5

        d4ab0589417a189428c501b9d7806d11

        SHA1

        e5ddbe97e9f2b3169c7536c83d656de73dd6bd8f

        SHA256

        9e9a3d7b58c7e848fd230b1c9ca46f428aad950b167ee92830596954c90d52b7

        SHA512

        9b01210f43c1edbae64ab7672f734838a21d737e41b985cf0c4194c15cb6df9aa8a771fcb28eda140812f0b39cf8af8ce368d7cc10e7bf94c4ed4e7b180f2b3c

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\logomachy.psd
        Filesize

        1.6MB

        MD5

        78dd9f575dd49af7499bef1fc1aef917

        SHA1

        32dd4fe64e6fb1dfbc53a86e8762d925a0a32d88

        SHA256

        a8f8bcca78c5a328a4dbd3829784f724427a582d3a09397d61a73448c85bd076

        SHA512

        45dc68eefd030e361ea7634f2d046a45180682df2aa050f75ceee5ea12887d49535862b523f870472f9bd11239dea64ad9e62bc02e75cc139319f6ed4359b3f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\mfc140u.dll
        Filesize

        5.8MB

        MD5

        3f5b940545718cce8815e02be8e68619

        SHA1

        9d41743eb1d700261a908f8bcee532df94d1b102

        SHA256

        f2f9406a1c3cadf284574b3fa02e9dd1e9fa1b9415871cf0aa23e65aa79ed49b

        SHA512

        5b9a8ffcbd868266433787436c6fd2867ddd908366bfb4a2cfaf54b032d7d0bdfc0f607eb04a229d90a10ca757cdd29f5d19003e5f4af333994fc6a736bf0bcb

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\msvcp140.dll
        Filesize

        618KB

        MD5

        9ff712c25312821b8aec84c4f8782a34

        SHA1

        1a7a250d92a59c3af72a9573cffec2fcfa525f33

        SHA256

        517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

        SHA512

        5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

        Download Submit

      • C:\Users\Admin\AppData\Local\Toadinthehole\vcruntime140.dll
        Filesize

        85KB

        MD5

        edf9d5c18111d82cf10ec99f6afa6b47

        SHA1

        d247f5b9d4d3061e3d421e0e623595aa40d9493c

        SHA256

        d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

        SHA512

        bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

        Download Submit

      • C:\Windows\Installer\e57b0c2.msi
        Filesize

        4.1MB

        MD5

        a11fed7d63b37dcaeb5877df4a978f6d

        SHA1

        2dcb800231cb89fa37aeb092efdfd9cfda07bfa9

        SHA256

        dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31

        SHA512

        ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        6f2c4bf4b951a17d2456f9f34bb582e7

        SHA1

        b0ec1bbbc34ae4003d25eca9e55e42d4393510fb

        SHA256

        65a1693d7a29fce9386818cdc88edbc5bc01c2543684d91eb5eee13c41636e63

        SHA512

        4c1a310628c2c0338ebe11d9a50059c606ab2b839d750f50ddd3d7570aefe90deeef3a002f16e488153ba941390607586d65b9090b5dc9e768a144617aa517d8

        Download Submit

      • \??\Volume{24b92e62-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b808838c-886b-4e75-891a-b7d204e74506}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        e6c9114c69338047fd7aa73c31d22cca

        SHA1

        30b08b390d9078048347aae1ba31fffa568869aa

        SHA256

        e41dfdd47b25b0c024aa012805d5adb49bb0395747b041bb84b75b9bb196699c

        SHA512

        bb7a7855cbd4c575d2222528964270e40e70808d37b8879d49b54f1309c5cd8c8341c46a399143a0e61b43d9631131cc185d52d0de9cd010354ef507a0029b66

        Download Submit

      • memory/1084-56-0x00007FFF0A020000-0x00007FFF0A192000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1084-57-0x00007FFF0A020000-0x00007FFF0A192000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2212-62-0x00007FFF27DD0000-0x00007FFF27FC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2212-63-0x0000000075090000-0x000000007520B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3232-71-0x0000000005320000-0x0000000005720000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3232-65-0x0000000073E30000-0x0000000075084000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3232-68-0x0000000000B90000-0x0000000000CB2000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3232-69-0x00000000052F0000-0x00000000052F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3232-70-0x0000000005300000-0x0000000005310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3232-72-0x0000000005320000-0x0000000005720000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3232-73-0x00007FFF27DD0000-0x00007FFF27FC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3232-75-0x0000000075610000-0x0000000075825000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3360-76-0x0000000000350000-0x000000000035A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3360-79-0x0000000000E90000-0x0000000001290000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3360-82-0x0000000075610000-0x0000000075825000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3360-80-0x00007FFF27DD0000-0x00007FFF27FC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4072-38-0x00007FFF0A020000-0x00007FFF0A192000-memory.dmp

        Filesize

        1.4MB

        Download