Overview

overview

10

Static

static

1

ddd.ps1

windows7-x64

7

ddd.ps1

windows10-2004-x64

10

Resubmissions

07/03/2025, 19:55

250307-ynad7swms2 10

07/03/2025, 17:58

250307-wj7g2atzet 10

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddd.ps1

  • Size

    2.4MB

  • MD5

    5b322ca0eb9655beaf39e4453d141cd2

  • SHA1

    b556cbaf50c2b77fd73d4386f068f0bbffe7504d

  • SHA256

    b2082d4666cd9eb57896b04058438fad6a268e504d877b908ae276b3c68799fe

  • SHA512

    0648609146167599498b41bdb97c02eb0947ba03e44ee63c3448bd6b2508b4bd7054a63671c12120b01240bba810489da68e3f79dc2a7674447ad760127dcc1b

  • SSDEEP

    1536:P26vgn00oR/S7rdvtk76qu6p5LSTFPNWdD7uHzgjw8b560jSKkjptOVNjC5GGQli:bYf

Score
10/10
rhadamanthysdiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://94.156.71.221:1485/ba9365b02ebb09b86/kscmx9w7.etux2

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3056
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ddd.ps1
      1⤵
      • Deletes itself
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1464
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:628
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 780
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 756
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
      • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 784
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:316
      • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 780
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
      Filesize

      315B

      MD5

      f1fca28ac1e609a12e5841cb73e952ab

      SHA1

      7a06e4143f96a201b87d9532190a33fd166a588d

      SHA256

      c2bcaf768331a524e6c79bad2aa8f0052741a48f54b5eaba92fa6c0c81f5f60a

      SHA512

      3b40490aaa91d4fc76de628ecf94d0dc180fecc48178c256e8c735ffdecf2613666021b450dc00273daae7c19c7bd54864be93f4b5575469c7dc7b8edfe54f84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3qyozyi1.2wk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/628-57-0x0000000005400000-0x0000000005410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/628-61-0x0000000005740000-0x0000000005B40000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1464-73-0x00000000774C0000-0x00000000776D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1464-71-0x00007FFCF0B70000-0x00007FFCF0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1464-58-0x0000000005C30000-0x0000000006030000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1464-60-0x0000000005C30000-0x0000000006030000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1464-56-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-26-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1464-55-0x00000000032D0000-0x00000000032D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1464-38-0x0000000005760000-0x00000000057F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1464-37-0x0000000001100000-0x00000000011B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2624-18-0x000001FC2B3B0000-0x000001FC2B5CC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2624-11-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-24-0x000001FC12C70000-0x000001FC12C78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2624-25-0x000001FC12F50000-0x000001FC12F58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2624-22-0x000001FC12C30000-0x000001FC12C3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2624-81-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-7-0x000001FC12F20000-0x000001FC12F42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2624-21-0x000001FC12C40000-0x000001FC12C5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2624-20-0x000001FC12C10000-0x000001FC12C1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2624-19-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-0-0x00007FFCD2A53000-0x00007FFCD2A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2624-17-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-16-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-15-0x00007FFCD2A53000-0x00007FFCD2A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2624-14-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-12-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2624-23-0x000001FC12C60000-0x000001FC12C68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4228-34-0x0000000001660000-0x0000000001670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5000-74-0x0000000000910000-0x0000000000919000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5000-77-0x00000000026F0000-0x0000000002AF0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5000-80-0x00000000774C0000-0x00000000776D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/5000-78-0x00007FFCF0B70000-0x00007FFCF0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5108-33-0x0000000001000000-0x0000000001010000-memory.dmp

      Filesize

      64KB

      Download