Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
20-02-2025 04:12
General
-
Target
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31.msi
-
Size
4.1MB
-
MD5
a11fed7d63b37dcaeb5877df4a978f6d
-
SHA1
2dcb800231cb89fa37aeb092efdfd9cfda07bfa9
-
SHA256
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
-
SHA512
ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c
-
SSDEEP
49152:vNK3fuMxhxdsIjCohpCWAE0MGnqz2jsnCGQNxTKCqX88ctFZGNf32obHmn5TCp6l:4P3hxdss17C6Eqz2jUiUdGobGnGJaQJ
Malware Config
Signatures
-
Detects Rhadamanthys payload 1 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe"C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exeC:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exe3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD577cd6c173f82c6ce9b3464530ae51c88
SHA19256b6cba938b0b7b90183e7b15cb3be5fd75af0
SHA256bb72c57c91bf7fabf4219a0b7d1884f29a0c0054b70ca0aba1f07de53e0b1608
SHA5122c7d97eb36a3c4994e3398d08f90fa6e694688188567c378af5c22a2bb99bb7bcfdbc6b9c3a03201f9a592baf16302969c47257b8044e99de99e0429e041b4ce
-
Filesize
1.8MB
MD55a0660f4ad48760aecfd0ca058200e5a
SHA1907fad96ba4ccdd74d97459d38225f2d44003a42
SHA2569c5ea6a7e141c5efa642dd86ad2e6789488714a0d9e6ee59253a4b2ecbd5c1cf
SHA512cad7f3903ed45006a2d9de634ddd15b81c852d9568ded7b3855f4a538b14aa7e586f2b71744dbf5e2618cd2537ef17c107245cfbff65813a4aaa52fab96be2a1
-
Filesize
1.7MB
MD518247442e0f9378e739f650fd51acb4e
SHA141c3145d0a63f2cb87ae9f4f6107855ddaa72886
SHA256a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e
SHA512e4669a7d72fc37b39cd161c6243c2f1f9840e36598a25c1125540f72d6ef4aeddc2ef9b89804137f2c0edba9fcd68e89ba74f9ebfe1bec2aec14e0f7c2e42bc3
-
Filesize
45KB
MD5d4ab0589417a189428c501b9d7806d11
SHA1e5ddbe97e9f2b3169c7536c83d656de73dd6bd8f
SHA2569e9a3d7b58c7e848fd230b1c9ca46f428aad950b167ee92830596954c90d52b7
SHA5129b01210f43c1edbae64ab7672f734838a21d737e41b985cf0c4194c15cb6df9aa8a771fcb28eda140812f0b39cf8af8ce368d7cc10e7bf94c4ed4e7b180f2b3c
-
Filesize
1.6MB
MD578dd9f575dd49af7499bef1fc1aef917
SHA132dd4fe64e6fb1dfbc53a86e8762d925a0a32d88
SHA256a8f8bcca78c5a328a4dbd3829784f724427a582d3a09397d61a73448c85bd076
SHA51245dc68eefd030e361ea7634f2d046a45180682df2aa050f75ceee5ea12887d49535862b523f870472f9bd11239dea64ad9e62bc02e75cc139319f6ed4359b3f5
-
Filesize
5.8MB
MD53f5b940545718cce8815e02be8e68619
SHA19d41743eb1d700261a908f8bcee532df94d1b102
SHA256f2f9406a1c3cadf284574b3fa02e9dd1e9fa1b9415871cf0aa23e65aa79ed49b
SHA5125b9a8ffcbd868266433787436c6fd2867ddd908366bfb4a2cfaf54b032d7d0bdfc0f607eb04a229d90a10ca757cdd29f5d19003e5f4af333994fc6a736bf0bcb
-
Filesize
618KB
MD59ff712c25312821b8aec84c4f8782a34
SHA11a7a250d92a59c3af72a9573cffec2fcfa525f33
SHA256517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094
SHA5125a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33
-
Filesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
Filesize
4.1MB
MD5a11fed7d63b37dcaeb5877df4a978f6d
SHA12dcb800231cb89fa37aeb092efdfd9cfda07bfa9
SHA256dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
SHA512ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c
-
Filesize
24.1MB
MD53efb0ddb2ced30c57354551545863593
SHA14ffd9fb9152553ecb4b26d316d26ab106c9f4080
SHA256dcd67e773e8efba368cc9c99f2cdd573863a9121d076d26d9ba1af8c3971856f
SHA5128d08f4942a0bba2f9dedc0e4c07a660c82789eb420a5d21fc0006e2e0f92b6b1285c7381a925ac383a85250a069c2a0a6a90b75e98ce42c12c89594369920f19
-
Filesize
6KB
MD5bf6c5790d3374c739cefe2342118e8f7
SHA183758b47a5425e4c2c4b72ca5b21001a84d29645
SHA25696a6c20a17b91e3325a24cb610266dafde31e05852b1d53f0f7fb12c7b9cfca0
SHA5128cc420ba8bc1c7d72c4cc28647a6731fe9a8f2b0174dbebacb6e1fceccb800971db889a62283daa0ce919c3d8fa11f7550cd8eeb74a462b4642e9503991524a9
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
2.1MB
-
Filesize
1.1MB
-
Filesize
18.3MB
