Overview

overview

10

Static

static

3

AppxSip/AppxSip.dll

windows11-21h2-x64

8

AppxSip/MSVidCtl.dll

windows11-21h2-x64

1

AppxSip/de...ps.dll

windows11-21h2-x64

5

AppxSip/devenum.dll

windows11-21h2-x64

7

SEMgrPS/SEMgrPS.dll

windows11-21h2-x64

1

SEMgrPS/Se...pi.dll

windows11-21h2-x64

1

SEMgrPS/ne...vc.dll

windows11-21h2-x64

1

SEMgrPS/wcimage.dll

windows11-21h2-x64

1

dsreg/dcntel.dll

windows11-21h2-x64

1

dsreg/dsound.dll

windows11-21h2-x64

1

dsreg/dsreg.dll

windows11-21h2-x64

1

dsreg/sensrsvc.dll

windows11-21h2-x64

1

netprofm/T...ep.dll

windows11-21h2-x64

1

netprofm/netprofm.dll

windows11-21h2-x64

1

netprofm/rpcnsh.dll

windows11-21h2-x64

1

netprofm/s...is.dll

windows11-21h2-x64

1

pcwum/AppxSip.dll

windows11-21h2-x64

8

pcwum/asferror.dll

windows11-21h2-x64

1

pcwum/pcwum.dll

windows11-21h2-x64

1

pcwum/pdhui.dll

windows11-21h2-x64

1

setup.msi

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-06-2024 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.msi

  • Size

    25.2MB

  • MD5

    97fe02652a163aa97ecede3d2c89aab6

  • SHA1

    927aba81a9f802c73ce0806ce0afc9cd914f879f

  • SHA256

    64b93fbe2402bcdec46248a164485e12e2800df091a5708fe8741cf446105036

  • SHA512

    3dd59ceabd2c4b07c9a4d0561ceea16bc1a52cd91ccaf852597fe63726c617c40c0433b2710035b9c3467d156ace859978d138f71f01087c92033b9c0b5391d8

  • SSDEEP

    393216:F+wLUMdp4/HgS9q/FmxTgWHx9N4b9jR+7NE1nX7nyRs9cRfxn8XGQUigBJ:F+5MdEHbgFmxsWR9Ni9N+RE1XC82Qi

Score
10/10
rhadamanthyspersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 20 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2952
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2212
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
      1⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1692
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1CBFC1AAF811C27E899416F4F6F9E93B
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:5080
      • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe
        "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe" x -p2664926658a "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\"
        2⤵
        • Executes dropped EXE
        PID:5000
      • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe
        "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe explorer.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:720
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1796
            4⤵
            • Program crash
            PID:2232
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1792
            4⤵
            • Program crash
            PID:3992
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1788
            4⤵
            • Program crash
            PID:1236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 720 -ip 720
      1⤵
        PID:1424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 720 -ip 720
        1⤵
          PID:1976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 720 -ip 720
          1⤵
            PID:2884

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Event Triggered Execution

          1
          T1546

          Installer Packages

          1
          T1546.016

          Privilege Escalation

          Event Triggered Execution

          1
          T1546

          Installer Packages

          1
          T1546.016

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\e577d70.rbs
            Filesize

            22KB

            MD5

            b8a5bcb995b983f78f3be0b78ca25528

            SHA1

            83010aba98b9155e732c75b23536a4c029226244

            SHA256

            44d95646665e772a559a0902824d2563f0926d72d03d230cda3a704a38ee90ec

            SHA512

            b5daaf87d5341a9218b379839a6bea649894e6758e35b4cfa60249081d6f6c79e09b5d6b1a63427f6f0818b6a7402f6d089a0b14a4dfc1a2dc44c8e70769c0ea

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe
            Filesize

            494KB

            MD5

            98ccd44353f7bc5bad1bc6ba9ae0cd68

            SHA1

            76a4e5bf8d298800c886d29f85ee629e7726052d

            SHA256

            e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

            SHA512

            d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar
            Filesize

            383KB

            MD5

            728303eedfa244370a6eb0c13110e101

            SHA1

            4c50ddb06b8a94298803a826a144c945ad620781

            SHA256

            cbeeef44f4bdac385e68c73fcf983bbc54ff3a4201be108386495c280a32a29f

            SHA512

            4f878f9e8a46e8cd30310e3d752df019c208258b0c6438c90ced5e1af2a33b610de427e5884dca0507fd3d3aa692dae4cce3d284ac2a2b95f03d75bb6e4eddea

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe
            Filesize

            639KB

            MD5

            fd3ce044ac234fdab3df9d7f492c470a

            SHA1

            a74a287d5d82a8071ab36c72b2786342d83a8ef7

            SHA256

            0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba

            SHA512

            86d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\tier0_s64.dll
            Filesize

            386KB

            MD5

            7e60404cfb232a1d3708a9892d020e84

            SHA1

            31328d887bee17641608252fb2f9cd6caf8ba522

            SHA256

            5a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766

            SHA512

            4d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\vstdlib_s64.dll
            Filesize

            1.0MB

            MD5

            b8c0097acaa7b840c3a803a6daac18c3

            SHA1

            8553720c10815d8f0b938d281519b7e0e4967c86

            SHA256

            ef397ad6190413b101bb4b36bde450fb0a951a4c5eb936f8a40afdc66e8c04da

            SHA512

            e3484d9d724f5f43770b4bee92c9c534e3dcb5f37af3e379f83afd2c6847d3f153115d742a4e1fc8af60594975438ae63a32e2c8815d046f071ba62322745b5c

            Download Submit
          • C:\Windows\Installer\MSI7DEA.tmp
            Filesize

            738KB

            MD5

            b158d8d605571ea47a238df5ab43dfaa

            SHA1

            bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

            SHA256

            ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

            SHA512

            56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

            Download Submit
          • C:\Windows\Installer\MSI7EE8.tmp
            Filesize

            1.1MB

            MD5

            1a2b237796742c26b11a008d0b175e29

            SHA1

            cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

            SHA256

            81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

            SHA512

            3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

            Download Submit
          • C:\Windows\Installer\MSI9840.tmp
            Filesize

            364KB

            MD5

            54d74546c6afe67b3d118c3c477c159a

            SHA1

            957f08beb7e27e657cd83d8ee50388b887935fae

            SHA256

            f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

            SHA512

            d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

            Download Submit
          • C:\Windows\Installer\e577d6d.msi
            Filesize

            25.2MB

            MD5

            97fe02652a163aa97ecede3d2c89aab6

            SHA1

            927aba81a9f802c73ce0806ce0afc9cd914f879f

            SHA256

            64b93fbe2402bcdec46248a164485e12e2800df091a5708fe8741cf446105036

            SHA512

            3dd59ceabd2c4b07c9a4d0561ceea16bc1a52cd91ccaf852597fe63726c617c40c0433b2710035b9c3467d156ace859978d138f71f01087c92033b9c0b5391d8

            Download Submit
          • memory/720-169-0x0000000004FF0000-0x00000000053F0000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/720-154-0x0000000000A10000-0x0000000000A38000-memory.dmp
            Filesize

            160KB

            Download
          • memory/720-155-0x0000000000A10000-0x0000000000A38000-memory.dmp
            Filesize

            160KB

            Download
          • memory/720-156-0x0000000000A10000-0x0000000000A38000-memory.dmp
            Filesize

            160KB

            Download
          • memory/720-171-0x00007FF8B0E60000-0x00007FF8B1069000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/720-173-0x00000000771F0000-0x0000000077442000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/720-170-0x0000000004FF0000-0x00000000053F0000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2212-176-0x0000000002EF0000-0x00000000032F0000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2212-174-0x0000000000FC0000-0x0000000000FC9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/2212-177-0x00007FF8B0E60000-0x00007FF8B1069000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2212-179-0x00000000771F0000-0x0000000077442000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/3424-153-0x0000014121FD0000-0x0000014121FF5000-memory.dmp
            Filesize

            148KB

            Download
          • memory/3424-152-0x0000014121FC0000-0x0000014121FC1000-memory.dmp
            Filesize

            4KB

            Download