Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20240508-en
General
-
Target
Installer.exe
-
Size
165.2MB
-
MD5
40c4d987742c851d15d1c8eb36564634
-
SHA1
e5ce265f0a6fbb8a0b22964ecd86bdf81b6efc6a
-
SHA256
ed5fad1077cab43a43f700a67577e30ae4537f5b42cf1544da423253cea3c2a8
-
SHA512
0a0246c78d21967f36b86fbe733b89c94c2e8efd827f0decc80bc14f39bf2c9a8cc7eddd9ad2b71ac9f06b8e76d6ed83914b2230a1768e100956e9a36580b6d9
-
SSDEEP
786432:29/wSomYEPyyRIekBWSnJtLeiWvaGJSF5FXMw/93IYSSL/4azYFSbLP5njZUn:29TFYbFEAJtCiWvA5FXMmtQuvPUn
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
BitLockerToGo.exedescription pid process target process PID 1824 created 1204 1824 BitLockerToGo.exe Explorer.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 972 powershell.exe 2792 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
connection1404.exeupdate1404.exepid process 2664 connection1404.exe 1696 update1404.exe -
Loads dropped DLL 5 IoCs
Processes:
Installer.exepid process 3008 Installer.exe 3008 Installer.exe 3008 Installer.exe 3008 Installer.exe 3008 Installer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
connection1404.exeupdate1404.exedescription pid process target process PID 2664 set thread context of 856 2664 connection1404.exe BitLockerToGo.exe PID 1696 set thread context of 1824 1696 update1404.exe BitLockerToGo.exe -
Drops file in Program Files directory 6 IoCs
Processes:
Installer.exedescription ioc process File created C:\Program Files\launcher289\update1404.zip Installer.exe File created C:\Program Files\launcher289\update1404.exe Installer.exe File opened for modification C:\Program Files\launcher289\update1404.exe Installer.exe File created C:\Program Files\launcher289\connection1404.zip Installer.exe File created C:\Program Files\launcher289\connection1404.exe Installer.exe File opened for modification C:\Program Files\launcher289\connection1404.exe Installer.exe -
Processes:
Installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Installer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeBitLockerToGo.exedialer.exepid process 972 powershell.exe 2792 powershell.exe 1824 BitLockerToGo.exe 1824 BitLockerToGo.exe 2456 dialer.exe 2456 dialer.exe 2456 dialer.exe 2456 dialer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Installer.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3008 Installer.exe Token: SeDebugPrivilege 972 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Installer.execonnection1404.exeupdate1404.exeBitLockerToGo.exedescription pid process target process PID 3008 wrote to memory of 972 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 972 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 972 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 2664 3008 Installer.exe connection1404.exe PID 3008 wrote to memory of 2664 3008 Installer.exe connection1404.exe PID 3008 wrote to memory of 2664 3008 Installer.exe connection1404.exe PID 3008 wrote to memory of 2792 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 2792 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 2792 3008 Installer.exe powershell.exe PID 3008 wrote to memory of 1696 3008 Installer.exe update1404.exe PID 3008 wrote to memory of 1696 3008 Installer.exe update1404.exe PID 3008 wrote to memory of 1696 3008 Installer.exe update1404.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 2664 wrote to memory of 856 2664 connection1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1696 wrote to memory of 1824 1696 update1404.exe BitLockerToGo.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe PID 1824 wrote to memory of 2456 1824 BitLockerToGo.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\launcher289\connection1404.exe"C:\Program Files\launcher289\connection1404.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\launcher289\update1404.exe"C:\Program Files\launcher289\update1404.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\launcher289\connection1404.exeFilesize
19.5MB
MD52f3aa0119c4953af8f8c156330089ba6
SHA1a8cdb9a58428fb0aab1bacebcbba67fc1405ab13
SHA2567cd7ee94293b7ea648e9514f47206aa56a00c6e4f40025fba4b454c70ec95a80
SHA512f41994a479350a0a4b0f7c961fa501e93a268e885baa046b839b99fdff8202a1a1ebdeea3b5cbff088b499735e26a0934f89c81a1ed0a38dd9bca37885017dab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50fb4d88c6fe4e1bc527ef99dcaf14b0d
SHA1f0a9606210f0f34538b677e45a580fbeac4fd1a6
SHA256b0f339a9c1840abe99042814eb8d58eb2f65dcb791a01cccabb4332d713d87aa
SHA5128dac463a3ce20fc03926d18f77d9088be9d5236027ad9e7e0b6d6b49257837084944975fd41f15cc42455d6e14194963f2c0ada8217ed7bc2161dd4d11373b7d
-
\Program Files\launcher289\update1404.exeFilesize
18.6MB
MD5483d1a5aef48a3fe4776b71188b82c77
SHA1e34779d6bcdf75e015252f95214fd007ffdddb27
SHA256d62c629ac4d72655e39bf77d618c16eb1812618f9e44398d37c33912f4acd04e
SHA5123f38d00ed3f53c99f796468afd1b653c61286a80aff2023c781e04973adcb4c2a94f242ba4ce217c4cb0b243a18b63f698479ac4a2ecb34404d8135a14d2903f
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\D3DCompiler_47_cor3.dllFilesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\PresentationNative_cor3.dllFilesize
1.2MB
MD5e67dff697095b778ab6b76229c005811
SHA188a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc
SHA256e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a
SHA5126f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51
-
\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\wpfgfx_cor3.dllFilesize
1.9MB
MD5a71862451605c3fd136c4fa209791815
SHA18dd7f71f7d657d24e0d2649a79b9901b8fe99bc1
SHA256e793bb093c52726090f3590d2abe142e8bc4bdf19796984aef82751ba4b1be6a
SHA512dbecec9bae98e3d5fe68f9c9a71e3f11322fa3b6b2f9665a377f825ba13c1245d003f484aae62e27c014f4728eaa90d7f24c5ef7ab8baf6e85c7d394c85fae53
-
memory/972-247-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-246-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-245-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/972-244-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-242-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/972-243-0x000007FEF45F0000-0x000007FEF4F8D000-memory.dmpFilesize
9.6MB
-
memory/972-241-0x000007FEF48AE000-0x000007FEF48AF000-memory.dmpFilesize
4KB
-
memory/2792-277-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2792-278-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB
-
memory/3008-58-0x0000000002140000-0x0000000002150000-memory.dmpFilesize
64KB
-
memory/3008-42-0x0000000001E90000-0x0000000001EB0000-memory.dmpFilesize
128KB
-
memory/3008-18-0x0000000003A60000-0x0000000004020000-memory.dmpFilesize
5.8MB
-
memory/3008-14-0x00000000002F0000-0x0000000000320000-memory.dmpFilesize
192KB
-
memory/3008-26-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/3008-30-0x0000000001F50000-0x0000000001FE0000-memory.dmpFilesize
576KB
-
memory/3008-187-0x0000000006100000-0x000000000610A000-memory.dmpFilesize
40KB
-
memory/3008-236-0x0000000140165000-0x0000000140166000-memory.dmpFilesize
4KB
-
memory/3008-38-0x0000000001E50000-0x0000000001E60000-memory.dmpFilesize
64KB
-
memory/3008-22-0x0000000004020000-0x0000000004130000-memory.dmpFilesize
1.1MB
-
memory/3008-46-0x0000000001EB0000-0x0000000001ED0000-memory.dmpFilesize
128KB
-
memory/3008-50-0x0000000004830000-0x0000000004B80000-memory.dmpFilesize
3.3MB
-
memory/3008-54-0x00000000024E0000-0x0000000002520000-memory.dmpFilesize
256KB
-
memory/3008-5-0x0000000002B40000-0x0000000002F60000-memory.dmpFilesize
4.1MB
-
memory/3008-62-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/3008-66-0x0000000003270000-0x0000000003280000-memory.dmpFilesize
64KB
-
memory/3008-70-0x00000000032A0000-0x00000000032B0000-memory.dmpFilesize
64KB
-
memory/3008-102-0x0000000140165000-0x0000000140166000-memory.dmpFilesize
4KB
-
memory/3008-34-0x0000000001C90000-0x0000000001CB0000-memory.dmpFilesize
128KB
-
memory/3008-12-0x000000000C2A0000-0x00000000112F0000-memory.dmpFilesize
80.3MB