Analysis
-
max time kernel
42s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
hoge.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
hoge.exe
Resource
win10v2004-20240226-en
General
-
Target
hoge.exe
-
Size
621KB
-
MD5
be87ad5596852c9930270778e9eced54
-
SHA1
34a1842d2fd4dbcdc27b892d18ad920ac9d03826
-
SHA256
38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e
-
SHA512
a16e49beb95f461ff5d4af63017bdcd9844800e8037d43942e28e0a3dfa71ceb0808e5020f955380902fdb4c9887ed6e092cfce9a9cf24f6be2e3e9586dbef04
-
SSDEEP
12288:zE50GSHrG6W42JcycysY0V3D9wCV+2nXGwnUP345WRgG3OkGGs/Lwmm:o+GSHrG6W42JcychY0FD9wCVBHw3yeJF
Malware Config
Signatures
-
Detects DLL dropped by Raspberry Robin. 2 IoCs
Raspberry Robin.
Processes:
resource yara_rule behavioral1/memory/1220-4-0x0000000077070000-0x000000007718F000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral1/memory/2236-14-0x0000000077070000-0x000000007718F000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
hoge.exedescription pid process target process PID 1220 created 1192 1220 hoge.exe Explorer.EXE -
Deletes itself 1 IoCs
Processes:
dialer.exepid process 2236 dialer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
hoge.exedialer.exepid process 1220 hoge.exe 1220 hoge.exe 2236 dialer.exe 2236 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
hoge.exedescription pid process target process PID 1220 wrote to memory of 2236 1220 hoge.exe dialer.exe PID 1220 wrote to memory of 2236 1220 hoge.exe dialer.exe PID 1220 wrote to memory of 2236 1220 hoge.exe dialer.exe PID 1220 wrote to memory of 2236 1220 hoge.exe dialer.exe PID 1220 wrote to memory of 2236 1220 hoge.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\hoge.exe"C:\Users\Admin\AppData\Local\Temp\hoge.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-7-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1220-4-0x0000000077070000-0x000000007718F000-memory.dmpFilesize
1.1MB
-
memory/1220-0-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1220-9-0x0000000002E70000-0x0000000003270000-memory.dmpFilesize
4.0MB
-
memory/1220-8-0x0000000077191000-0x0000000077292000-memory.dmpFilesize
1.0MB
-
memory/1220-5-0x000007FEFD2D0000-0x000007FEFD33C000-memory.dmpFilesize
432KB
-
memory/1220-3-0x0000000077190000-0x0000000077339000-memory.dmpFilesize
1.7MB
-
memory/1220-2-0x0000000002E70000-0x0000000003270000-memory.dmpFilesize
4.0MB
-
memory/1220-19-0x0000000002E70000-0x0000000003270000-memory.dmpFilesize
4.0MB
-
memory/1220-1-0x0000000002E70000-0x0000000003270000-memory.dmpFilesize
4.0MB
-
memory/2236-12-0x0000000001B40000-0x0000000001F40000-memory.dmpFilesize
4.0MB
-
memory/2236-15-0x000007FEFD2D0000-0x000007FEFD33C000-memory.dmpFilesize
432KB
-
memory/2236-14-0x0000000077070000-0x000000007718F000-memory.dmpFilesize
1.1MB
-
memory/2236-17-0x0000000077191000-0x0000000077292000-memory.dmpFilesize
1.0MB
-
memory/2236-16-0x0000000001B40000-0x0000000001F40000-memory.dmpFilesize
4.0MB
-
memory/2236-13-0x0000000077190000-0x0000000077339000-memory.dmpFilesize
1.7MB
-
memory/2236-18-0x0000000001B40000-0x0000000001F40000-memory.dmpFilesize
4.0MB
-
memory/2236-6-0x0000000000060000-0x0000000000069000-memory.dmpFilesize
36KB