Analysis
-
max time kernel
79s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
hoge.exe
Resource
win7-20240508-en
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
hoge.exe
Resource
win10v2004-20240508-en
4 signatures
300 seconds
General
-
Target
hoge.exe
-
Size
621KB
-
MD5
be87ad5596852c9930270778e9eced54
-
SHA1
34a1842d2fd4dbcdc27b892d18ad920ac9d03826
-
SHA256
38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e
-
SHA512
a16e49beb95f461ff5d4af63017bdcd9844800e8037d43942e28e0a3dfa71ceb0808e5020f955380902fdb4c9887ed6e092cfce9a9cf24f6be2e3e9586dbef04
-
SSDEEP
12288:zE50GSHrG6W42JcycysY0V3D9wCV+2nXGwnUP345WRgG3OkGGs/Lwmm:o+GSHrG6W42JcychY0FD9wCVBHw3yeJF
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
hoge.exedescription pid process target process PID 1316 created 2620 1316 hoge.exe sihost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
hoge.exedialer.exepid process 1316 hoge.exe 1316 hoge.exe 1700 dialer.exe 1700 dialer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
hoge.exedescription pid process target process PID 1316 wrote to memory of 1700 1316 hoge.exe dialer.exe PID 1316 wrote to memory of 1700 1316 hoge.exe dialer.exe PID 1316 wrote to memory of 1700 1316 hoge.exe dialer.exe PID 1316 wrote to memory of 1700 1316 hoge.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\hoge.exe"C:\Users\Admin\AppData\Local\Temp\hoge.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1316-7-0x0000000003270000-0x0000000003670000-memory.dmpFilesize
4.0MB
-
memory/1316-1-0x0000000003270000-0x0000000003670000-memory.dmpFilesize
4.0MB
-
memory/1316-6-0x0000000003270000-0x0000000003670000-memory.dmpFilesize
4.0MB
-
memory/1316-5-0x00007FFC13980000-0x00007FFC13C49000-memory.dmpFilesize
2.8MB
-
memory/1316-4-0x00007FFC15C30000-0x00007FFC15CEE000-memory.dmpFilesize
760KB
-
memory/1316-3-0x00007FFC16230000-0x00007FFC16425000-memory.dmpFilesize
2.0MB
-
memory/1316-2-0x0000000003270000-0x0000000003670000-memory.dmpFilesize
4.0MB
-
memory/1316-11-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1316-0-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1700-10-0x000002248C290000-0x000002248C690000-memory.dmpFilesize
4.0MB
-
memory/1700-15-0x00007FFC13980000-0x00007FFC13C49000-memory.dmpFilesize
2.8MB
-
memory/1700-14-0x00007FFC15C30000-0x00007FFC15CEE000-memory.dmpFilesize
760KB
-
memory/1700-12-0x00007FFC16230000-0x00007FFC16425000-memory.dmpFilesize
2.0MB
-
memory/1700-16-0x000002248C290000-0x000002248C690000-memory.dmpFilesize
4.0MB
-
memory/1700-8-0x000002248A6F0000-0x000002248A6F9000-memory.dmpFilesize
36KB
-
memory/1700-13-0x000002248C290000-0x000002248C690000-memory.dmpFilesize
4.0MB