Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
09-06-2024 12:53
General
-
Target
Installer.exe
-
Size
165.2MB
-
MD5
40c4d987742c851d15d1c8eb36564634
-
SHA1
e5ce265f0a6fbb8a0b22964ecd86bdf81b6efc6a
-
SHA256
ed5fad1077cab43a43f700a67577e30ae4537f5b42cf1544da423253cea3c2a8
-
SHA512
0a0246c78d21967f36b86fbe733b89c94c2e8efd827f0decc80bc14f39bf2c9a8cc7eddd9ad2b71ac9f06b8e76d6ed83914b2230a1768e100956e9a36580b6d9
-
SSDEEP
786432:29/wSomYEPyyRIekBWSnJtLeiWvaGJSF5FXMw/93IYSSL/4azYFSbLP5njZUn:29TFYbFEAJtCiWvA5FXMmtQuvPUn
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\launcher289\connection1404.exe"C:\Program Files\launcher289\connection1404.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\launcher289\update1404.exe"C:\Program Files\launcher289\update1404.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\launcher289\connection1404.exeFilesize
19.5MB
MD52f3aa0119c4953af8f8c156330089ba6
SHA1a8cdb9a58428fb0aab1bacebcbba67fc1405ab13
SHA2567cd7ee94293b7ea648e9514f47206aa56a00c6e4f40025fba4b454c70ec95a80
SHA512f41994a479350a0a4b0f7c961fa501e93a268e885baa046b839b99fdff8202a1a1ebdeea3b5cbff088b499735e26a0934f89c81a1ed0a38dd9bca37885017dab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50fb4d88c6fe4e1bc527ef99dcaf14b0d
SHA1f0a9606210f0f34538b677e45a580fbeac4fd1a6
SHA256b0f339a9c1840abe99042814eb8d58eb2f65dcb791a01cccabb4332d713d87aa
SHA5128dac463a3ce20fc03926d18f77d9088be9d5236027ad9e7e0b6d6b49257837084944975fd41f15cc42455d6e14194963f2c0ada8217ed7bc2161dd4d11373b7d
-
\Program Files\launcher289\update1404.exeFilesize
18.6MB
MD5483d1a5aef48a3fe4776b71188b82c77
SHA1e34779d6bcdf75e015252f95214fd007ffdddb27
SHA256d62c629ac4d72655e39bf77d618c16eb1812618f9e44398d37c33912f4acd04e
SHA5123f38d00ed3f53c99f796468afd1b653c61286a80aff2023c781e04973adcb4c2a94f242ba4ce217c4cb0b243a18b63f698479ac4a2ecb34404d8135a14d2903f
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\D3DCompiler_47_cor3.dllFilesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\PresentationNative_cor3.dllFilesize
1.2MB
MD5e67dff697095b778ab6b76229c005811
SHA188a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc
SHA256e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a
SHA5126f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\wpfgfx_cor3.dllFilesize
1.9MB
MD5a71862451605c3fd136c4fa209791815
SHA18dd7f71f7d657d24e0d2649a79b9901b8fe99bc1
SHA256e793bb093c52726090f3590d2abe142e8bc4bdf19796984aef82751ba4b1be6a
SHA512dbecec9bae98e3d5fe68f9c9a71e3f11322fa3b6b2f9665a377f825ba13c1245d003f484aae62e27c014f4728eaa90d7f24c5ef7ab8baf6e85c7d394c85fae53
-
memory/972-247-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-246-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-245-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/972-244-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-242-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/972-243-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-241-0x000007FEF48AE000-0x000007FEF48AF000-memory.dmpFilesize
4KB
-
memory/2792-277-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2792-278-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB
-
memory/3008-58-0x0000000002140000-0x0000000002150000-memory.dmpFilesize
64KB
-
memory/3008-42-0x0000000001E90000-0x0000000001EB0000-memory.dmpFilesize
128KB
-
memory/3008-18-0x0000000003A60000-0x0000000004020000-memory.dmpFilesize
5.8MB
-
memory/3008-14-0x00000000002F0000-0x0000000000320000-memory.dmpFilesize
192KB
-
memory/3008-26-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/3008-30-0x0000000001F50000-0x0000000001FE0000-memory.dmpFilesize
576KB
-
memory/3008-187-0x0000000006100000-0x000000000610A000-memory.dmpFilesize
40KB
-
memory/3008-236-0x0000000140165000-0x0000000140166000-memory.dmpFilesize
4KB
-
memory/3008-38-0x0000000001E50000-0x0000000001E60000-memory.dmpFilesize
64KB
-
memory/3008-22-0x0000000004020000-0x0000000004130000-memory.dmpFilesize
1.1MB
-
memory/3008-46-0x0000000001EB0000-0x0000000001ED0000-memory.dmpFilesize
128KB
-
memory/3008-50-0x0000000004830000-0x0000000004B80000-memory.dmpFilesize
3.3MB
-
memory/3008-54-0x00000000024E0000-0x0000000002520000-memory.dmpFilesize
256KB
-
memory/3008-5-0x0000000002B40000-0x0000000002F60000-memory.dmpFilesize
4.1MB
-
memory/3008-62-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/3008-66-0x0000000003270000-0x0000000003280000-memory.dmpFilesize
64KB
-
memory/3008-70-0x00000000032A0000-0x00000000032B0000-memory.dmpFilesize
64KB
-
memory/3008-102-0x0000000140165000-0x0000000140166000-memory.dmpFilesize
4KB
-
memory/3008-34-0x0000000001C90000-0x0000000001CB0000-memory.dmpFilesize
128KB
-
memory/3008-12-0x000000000C2A0000-0x00000000112F0000-memory.dmpFilesize
80.3MB