Overview

overview

10

Static

static

1

ddd.ps1

windows7-x64

7

ddd.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddd.ps1

  • Size

    2.4MB

  • MD5

    5b322ca0eb9655beaf39e4453d141cd2

  • SHA1

    b556cbaf50c2b77fd73d4386f068f0bbffe7504d

  • SHA256

    b2082d4666cd9eb57896b04058438fad6a268e504d877b908ae276b3c68799fe

  • SHA512

    0648609146167599498b41bdb97c02eb0947ba03e44ee63c3448bd6b2508b4bd7054a63671c12120b01240bba810489da68e3f79dc2a7674447ad760127dcc1b

  • SSDEEP

    1536:P26vgn00oR/S7rdvtk76qu6p5LSTFPNWdD7uHzgjw8b560jSKkjptOVNjC5GGQli:bYf

Score
10/10
rhadamanthysdiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://94.156.71.221:1485/ba9365b02ebb09b86/kscmx9w7.etux2

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2764
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4524
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ddd.ps1
      1⤵
      • Deletes itself
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1312
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 756
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 756
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4016
      • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 784
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4372
      • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 776
          3⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER23FF.tmp.xml
      Filesize

      4KB

      MD5

      a8ce2b2a6d51359e3fa083b8a3a7a5b6

      SHA1

      d1bcd08c169bf81bf1d8ee393b154d1a6cd147b5

      SHA256

      fb7753fb7767b80ad295827d5365929f01a60e39523ad7752b564a397e3ea675

      SHA512

      e3e1229dac4bf848626b47c3672d8c411557dfb26d28c26509b00433a4948439b96c73cb2930ffefb024aafe11eaab0cc122d9fbd23786b787c1f3e5b42963f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
      Filesize

      315B

      MD5

      f1fca28ac1e609a12e5841cb73e952ab

      SHA1

      7a06e4143f96a201b87d9532190a33fd166a588d

      SHA256

      c2bcaf768331a524e6c79bad2aa8f0052741a48f54b5eaba92fa6c0c81f5f60a

      SHA512

      3b40490aaa91d4fc76de628ecf94d0dc180fecc48178c256e8c735ffdecf2613666021b450dc00273daae7c19c7bd54864be93f4b5575469c7dc7b8edfe54f84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwhaiqrx.nk1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1312-58-0x0000000002550000-0x0000000002560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-60-0x0000000005760000-0x0000000005B60000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1312-68-0x00007FFC65530000-0x00007FFC65725000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1312-38-0x0000000004B50000-0x0000000004BE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1312-70-0x0000000076BF0000-0x0000000076E05000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1520-55-0x0000000003020000-0x0000000003030000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1520-56-0x00000000058D0000-0x0000000005CD0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1520-37-0x0000000001100000-0x00000000011B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1520-57-0x00000000058D0000-0x0000000005CD0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1520-54-0x0000000003010000-0x0000000003018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1520-61-0x00007FFC65530000-0x00007FFC65725000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1520-66-0x0000000076BF0000-0x0000000076E05000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1520-25-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2916-33-0x0000000001830000-0x0000000001840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3088-35-0x0000000000A60000-0x0000000000A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-34-0x0000000000C80000-0x0000000000C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3700-36-0x0000000001890000-0x00000000018A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3796-80-0x0000000002970000-0x0000000002D70000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4524-67-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4524-83-0x0000000076BF0000-0x0000000076E05000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4524-77-0x0000000002910000-0x0000000002D10000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4524-81-0x00007FFC65530000-0x00007FFC65725000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5060-0-0x00007FFC474B3000-0x00007FFC474B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5060-21-0x0000014035C10000-0x0000014035C1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5060-19-0x0000014035BF0000-0x0000014035BFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5060-18-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-17-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-24-0x0000014035EB0000-0x0000014035EB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5060-15-0x00007FFC474B3000-0x00007FFC474B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5060-20-0x0000014035C20000-0x0000014035C3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5060-22-0x0000014035C40000-0x0000014035C48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5060-16-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-23-0x0000014035C50000-0x0000014035C58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5060-14-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-12-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-11-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-1-0x0000014035E60000-0x0000014035E82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5060-84-0x00007FFC474B0000-0x00007FFC47F71000-memory.dmp

      Filesize

      10.8MB

      Download