Overview
overview
10Static
static
3__x64___se...nv.dll
windows10-2004-x64
1__x64___se...or.dll
windows10-2004-x64
1__x64___se...vc.dll
windows10-2004-x64
1__x64___se...df.dll
windows10-2004-x64
1__x64___se...nc.dll
windows10-2004-x64
1__x64___se...tr.dll
windows10-2004-x64
1__x64___se...el.dll
windows10-2004-x64
1__x64___se...lg.dll
windows10-2004-x64
1__x64___se...ab.dll
windows10-2004-x64
1__x64___se...rf.dll
windows10-2004-x64
1__x64___se...on.dll
windows10-2004-x64
1__x64___se...al.dll
windows10-2004-x64
1__x64___se...SM.dll
windows10-2004-x64
1__x64___se...ms.dll
windows10-2004-x64
1__x64___se...20.dll
windows7-x64
1__x64___se...20.dll
windows10-2004-x64
1__x64___se...un.dll
windows10-2004-x64
7__x64___se...up.msi
windows7-x64
6__x64___se...up.msi
windows10-2004-x64
10__x64___se...ph.dll
windows10-2004-x64
1__x64___se...rs.dll
windows10-2004-x64
1__x64___se...rv.dll
windows10-2004-x64
1__x64___se...re.dll
windows10-2004-x64
1General
-
Target
ff654bc32dcbba43b22e006634fc0ef4.bin
-
Size
35.3MB
-
Sample
240701-ew6mtsyhrm
-
MD5
5ebec6d6ca28a0f4492b866699cd0855
-
SHA1
f49572ea016cf7aca7ba388793e4dc3f3c6bc9b9
-
SHA256
1adf1646b9113fd13d0e6745b83a59fae2160ba93ecade45be63dd210cf6c8a6
-
SHA512
6cb052f8a74507993f2d3429775c4a9fbcd28c177e3a0ec2300160e55de39da440a0ff48c55eaa63557fa7d66ab78de46cd244ebe524a1747562f3405f0c58b7
-
SSDEEP
786432:XptkKH/LpFhB2+jnU/FQnxvw8+bYhAf35PDL/q:zHNFv2+jnMFE+cKv5PXq
Static task
static1
Behavioral task
behavioral1
Sample
__x64___setup___x32__/SettingMonitor/SessEnv.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
__x64___setup___x32__/SettingMonitor/SettingMonitor.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
__x64___setup___x32__/SettingMonitor/pnrpsvc.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
__x64___setup___x32__/SettingMonitor/uudf.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
__x64___setup___x32__/SettingSync/SettingSync.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
__x64___setup___x32__/SettingSync/rasmontr.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
__x64___setup___x32__/SettingSync/schannel.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
__x64___setup___x32__/SettingSync/sppcommdlg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
__x64___setup___x32__/dab/dab.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral10
Sample
__x64___setup___x32__/dab/diagperf.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
__x64___setup___x32__/dab/fcon.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
__x64___setup___x32__/dab/hal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
__x64___setup___x32__/mscms/NPSM.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
__x64___setup___x32__/mscms/mscms.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
__x64___setup___x32__/mscms/msvcp120.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
__x64___setup___x32__/mscms/msvcp120.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
__x64___setup___x32__/mscms/scrrun.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
__x64___setup___x32__/setup.msi
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
__x64___setup___x32__/setup.msi
Resource
win10v2004-20240611-en
Behavioral task
behavioral20
Sample
__x64___setup___x32__/vmrdvcore/mssph.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
__x64___setup___x32__/vmrdvcore/perfctrs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
__x64___setup___x32__/vmrdvcore/tapisrv.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
__x64___setup___x32__/vmrdvcore/vmrdvcore.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
https://two-root.com/2506s.bs64
Targets
-
-
Target
__x64___setup___x32__/SettingMonitor/SessEnv.dll
-
Size
529KB
-
MD5
86d26ebd7bfaecb399113aa4032b1654
-
SHA1
dafc41bfa8f890df174c0d8fcb86d1df77c0f04c
-
SHA256
b0e89ba9ece9afbd08eba6f7dd9779a50a212d9d334f8da5e32a8afb0356cb3e
-
SHA512
c5c66200030b24a87ea15c0e287289828d2292044d9405bee0c771531b98bf07b23330a8b59f1fa020e398963552b718445450797f95406f9a6636be57b78289
-
SSDEEP
12288:fjddhPmPjMc72g1d02PUsuJ4v0rRgN5USgUCLU:fPhs7z02dv0rRgNKSCLU
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingMonitor/SettingMonitor.dll
-
Size
163KB
-
MD5
e8cdda28622354adc80aa9b9e7b165ff
-
SHA1
c95e8a4abaaee4f96cdc0956ee802c7320eb001b
-
SHA256
330a4bf116cfd884df55af3dfd1200702e086a8ed7810e8b41529a78cf05c678
-
SHA512
58ba3f16924467b05be0e373f7c52dd0841ec2a10e99fc4c5b019d2bf1a97bc61752d30df3b2d45984c9c41fc8ff89c8a7d1e0e7e8459d515d73328f31b78995
-
SSDEEP
3072:0KWTUDuDWEV7pDx9d3h1OsGwuCYamg9j8TPfEjJ30/cVBy:0F4DuDV71TXIwvxufEjJ300VB
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingMonitor/pnrpsvc.dll
-
Size
344KB
-
MD5
f8ce0b4f1bc5e4fbdd66c1cac4d58314
-
SHA1
420146b917efcb1181b711fdcf7423dcd20c18e8
-
SHA256
e7dc2fba4cdbb0a35cc58e0fdf37d68891f18a80e449c0aa2c66c43a596ec4a9
-
SHA512
ed20c89ce1a22e13f423939d8c38a2d0cfbac58b102d80b5839a0c4bd942df1db65c709e70830856ffe253c4e6af4b61acdd0c47165d1df0475d7c388298b1f3
-
SSDEEP
6144:k0U24oAyuNRrY0Q/oOhBKHl9TxJDs1HWLsx6qwDsLKcfpErKYS:7ADN2yOjKF9tJDsQLsx63DTcfp2r
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingMonitor/uudf.dll
-
Size
169KB
-
MD5
001ef38ce74ecf8417ee0c891434bb43
-
SHA1
d7bc48b2fbf27dd6a603c4dfdcd0fec4bcdea0d0
-
SHA256
605ed635b23f16ac60e69d3d3c90e74f2d7b8eb7961647d59f918f76f5465125
-
SHA512
3314928fe347224feaa4b6ac39784074c5441cc156226bf3cce02fdf8abf923429c37be9445921323b15cbbac5a76a48c247f3ca708b73848b9cc06e3a6dd711
-
SSDEEP
3072:7VVOPiAiPibX5wceSGHdUZkQZUiI0jTJ8B1lfGZTzk9kKgCDCiGriZC/AzLct:7VVOPlLbeZHKhZbDfJJzk9kKjF9
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingSync/SettingSync.dll
-
Size
696KB
-
MD5
dba5942d06d3f0c8e8157549810f98e3
-
SHA1
cbf39ba1e24776bd1d8cebfa75a6222da803cb40
-
SHA256
2d1883c92c08e406ff2fd77387201a6d9a5b11a0b9c40d17c2164f490ba78bf7
-
SHA512
7e626168328514659e0011c4819fa450526dd4811adf423810f7d2080ade86b7dfecde3699327c4dfdb4afc421237cfe028dafa2161a7bfb9c0c69d352c3fe44
-
SSDEEP
12288:UMZExH2M0Cl2d/4zvWtRSVzpyt0CrX9LXbzmrdQ2N5QS5b:ZWx0ClPuAEfXe5N5Q0
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingSync/rasmontr.dll
-
Size
352KB
-
MD5
e7cd615613875ea223ab051b0daa62ae
-
SHA1
f8e13ffb3a92a92428585a6448ba0eb45a6714a4
-
SHA256
3784cfebd786b6fe061fbbaf62a2ec38e931544a6522ff74a06398f8f7e9f7d6
-
SHA512
bcc82736d04a9040fdd38d1d02efd3143004091b05f69a9bfc29e15a9a380d1e3a7cda21d489db5dbb2457eb4055b094a5356f0ea12aaa3805798129f51ace30
-
SSDEEP
6144:cyTN+ofnWGvGNzq+K7FMmODKzDS6JVj5XgQUtQ7X:HNp/WuGJq+SFnODKz
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingSync/schannel.dll
-
Size
580KB
-
MD5
bf34ca8a3c01da7f7fa805f7e717d546
-
SHA1
b605919ed9b30f77b4ee486f2ea42d175b37b84b
-
SHA256
9a28255454c927b4c95b3cf39c12650bc5c31e2fe70c7fa935e2f9c0767f62a7
-
SHA512
afc64003e7ae59f52246b41860fee6201c9cfbb27fa2547cd8da4ab371d4eebf11682d2556c1734ba1962b8c72f4081a08a30fe9774328a056ffdf1551a78d5e
-
SSDEEP
12288:Z8ec48WHBEQRTj2eO2i6DqyjpygHI+mG5a:Z8ec2TjFOaDV1ygVH
Score1/10 -
-
-
Target
__x64___setup___x32__/SettingSync/sppcommdlg.dll
-
Size
312KB
-
MD5
25059cb01909efc95c978a189c24c20b
-
SHA1
cbdbfd8cd3c56efd35dc191ec26d4b629c3aaf6c
-
SHA256
f4561bd188608d78a65df4c509da5f03169af43b9fa3fcef2274ff766edbeb5e
-
SHA512
93556729cbf23656fc62718b99b3dcf6aa6fac5e4e8dda8ca088ac173a4729b50b45aefb43054f5b1e404cff635abe736b1d2376a8a000e34db4346c42e896be
-
SSDEEP
6144:JH6nOj2guNJqY/W5R02qO7VKCP1qKkOFaCGVn:J4Oj2RJq3nP1qKUCGVn
Score1/10 -
-
-
Target
__x64___setup___x32__/dab/dab.dll
-
Size
110KB
-
MD5
53ba03283c3bf93c438caa6f42c09659
-
SHA1
96030fd608ef154b358df1a86d90e761b5284f44
-
SHA256
a1c7b806e20264dc99f50205e1db95229e69c6dcf5928c9c4a66d8292ab9e1b3
-
SHA512
2e4ef7fc71408ec17dfebc71adad3c63f0549ff6de7d7ad6ff89828be6757e3d4f2c6c671653b7ad20cbc2a14f5788af1b29deaff14f2d3110410c6997e27868
-
SSDEEP
3072:Xwa1fzlsxiGFNcNDtz+6MQJl+CC7uzB2TY7:Xt1hTW2JQXzCC
Score1/10 -
-
-
Target
__x64___setup___x32__/dab/diagperf.dll
-
Size
1.3MB
-
MD5
d8a7dfb2d76cc2208449bfb840aecb69
-
SHA1
dacb265b5dda7060169b6c9685e30b8733a5ee41
-
SHA256
b2aca97ef7443e9516a8e0603b2912fb48d0f95a01920d475cdef2ddec97c716
-
SHA512
e51b391478ead5ac4b4a3f411f9f73f6c9bb69dc39245ba53ef4acbe644298b7ff3bbbdca754bcf2e08afc56c0d30a404505bac3be1b9e33ac72bd661f09082b
-
SSDEEP
24576:EXc7tg4rRnpxj1XAskVOIfWEHbjCTCD+yulAsiC:EXc7m4rxpxj1XrkVOIFbjC2DbuaB
Score1/10 -
-
-
Target
__x64___setup___x32__/dab/fcon.dll
-
Size
259KB
-
MD5
570410bf7b872f558841f3ebb7373480
-
SHA1
6a7756f03d2df96586ca95919a1a84ff2dabd662
-
SHA256
99dcbdb33cb51b1985d2a836992121b1693a17d2ec068ebf28bf1ccc4761e2a9
-
SHA512
6c05062cd6ad8949112854923c29ac440f8f66d8b24b0ae867558921358b07e9669e5b29b49fc4b91bf911496d82e6b577d32dc8347dbb9ca1976e2db0ccc574
-
SSDEEP
3072:UOA9zlGDwpjwEo+2jS2tYQLxc0I17WkpVXAP2rv09hOm1lPLCzGhbfdwON7Are:UOFcpjwEj25eXZgO2lvnhN7A
Score1/10 -
-
-
Target
__x64___setup___x32__/dab/hal.dll
-
Size
17KB
-
MD5
01fd720f78d7d72e19ca732a909ae005
-
SHA1
e542847f226190042cfda60dd8be6266d5e5d4a4
-
SHA256
9c32cef8fb1d4eb0fcec864617b850594eeeac2fe0163de77aa2f947fba4f3be
-
SHA512
dada83d0ca3f90d5c1e8facdf8141b7098be241efe2800ae51826c7445cf3c6801f751e9f500400af50a672643439975e85ffac0f9f2f2ed56a3f4729361e959
-
SSDEEP
384:MkqP8+N5nC+k6yIwws9sCQZWu7kWXddhMDBRJM1x85zR9zF6Nn:qi+aITsGFTdhM1PM109z2n
Score1/10 -
-
-
Target
__x64___setup___x32__/mscms/NPSM.dll
-
Size
197KB
-
MD5
02772a5aecc72ee43ce45004fa2a9dcb
-
SHA1
364aba6b29398838c20f6367a2623438f4b7488e
-
SHA256
7f98b2486edbea70c24f8473b02dceeb9a635e15e89423091cf2e8ad51a6702e
-
SHA512
847488bca42d3cc62e640cde5ce9dc2a06624633020463e8731c2e1374ecc4517c19483b57b84877b0c698ff95b5190e32ea7bb32f4442ba178365cbe3e8766a
-
SSDEEP
3072:IqWWSoNwRw8KO5bNTqD8cnyOeEkbzieAtm1LNFc+K+EZ1x+qmh3:I7WSsw28KO5bNTDcn2OeAo1MdVm
Score1/10 -
-
-
Target
__x64___setup___x32__/mscms/mscms.dll
-
Size
691KB
-
MD5
1a933be33a779fd18595af01c3850391
-
SHA1
11440a01dee87bc9bfb335a964da01b0e130a261
-
SHA256
908b352431cb871f8366c92e064e9193bbc86224cad53ddc047c3ea4f89dc667
-
SHA512
ef3c75bca8acd8df292f978a09cbf7dc94c831df144fb8f81e0d94ea6fcf2d754f53879b97629bc03b239861bf91cdb14538237346baeab90fafb470bae52afd
-
SSDEEP
12288:6l9/mpmYNRRw/IofftlEdWiV8FJGlQ6Q64BNBD:HmqRRwgofEdJVuGlEBNBD
Score1/10 -
-
-
Target
__x64___setup___x32__/mscms/msvcp120.dll
-
Size
644KB
-
MD5
c2028ba6c66363b36ea659ca8816265d
-
SHA1
5e2bda10ad417466290dc08fd6ee8bc5fcf0ebbd
-
SHA256
3b92e964404e3f94531e7d7c4c7419561d9eca6accd98dc3979c9e3596db444c
-
SHA512
28e87d7360c4bd2eb30152173da6fdf30340b5ff0186a68f26514088dcc15758851afd01a179e976a91a9a85f9c1ee0cfa40308ed9d42654739acf6f6dd773f4
-
SSDEEP
12288:FOB4p+q4N8d4l2ms4cTHN+m+gy/vEPYysExtvsIvXi1ZG2EKZm+GWodEEpvY/p:iAtvsIvL2EKZm+GWodEEpvYh
Score1/10 -
-
-
Target
__x64___setup___x32__/mscms/scrrun.dll
-
Size
223KB
-
MD5
8a6d4a4e788d30298a8885aaa5ef5e50
-
SHA1
33dd8d769e42690b6d12e2deb744ec63d4170429
-
SHA256
40c371fab5d3b36a2b15062ccd9deb088ac2aae4a52cd61c48671d3671fe8b23
-
SHA512
726f198c2d7477dce478cb16578206fbcbd95b57c67547baab0d8d7f82334f724199bbd2a1546b7b8e29d95d6cd3ad8683e32c08b6c46e3853247e3db1cdcf57
-
SSDEEP
3072:RLyWTrOJHy/LyLVCtndbijmQHw/vfQi18eXUMS1049WRjCy24eM68Pm:RLyWTrF+LVmdijy18JJSO54eM
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
__x64___setup___x32__/setup.msi
-
Size
34.8MB
-
MD5
1086315ee22b1c20eb4aa7a57cbb8b6b
-
SHA1
1c734fc3f48e355a438cfed270f927b3922ef0ac
-
SHA256
d9324c156a90b828e3f110a871b6eca08bb6251fc34dcb8b570c05f48a6b642d
-
SHA512
f6fdfd4751e9b717b7acef31973e34219d2c1e49869b956c27f2a675461ad70b4d727fefb8dba5910954ef8012232913e79549acaa75558015e4de24ee804c05
-
SSDEEP
786432:wqqRkI57hVSZmlNdonqUuhGMCiEIS/vTis1Mscz:wq+T57jSZmGnqUezSTtqz
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
__x64___setup___x32__/vmrdvcore/mssph.dll
-
Size
209KB
-
MD5
ca07ad5304f7052e25cd4d708e0e21e4
-
SHA1
c73cbb881900e76d45957e9884398f5f3a9140e9
-
SHA256
fdd8008196ee65685d532869f9e611105eecb9054769a278ffb0985690cc92c7
-
SHA512
613fd7ebb45e9ff2086a6804a662146a20d940a77d4a086eddf28e60dfe487d89d31fbe567d948af2492c5e37dbce203a2723450a05becc934d6214c0190f269
-
SSDEEP
3072:nM/SaNItlQ9BkSbRzn82ssxRskJCQB+6h1azfTzRNraXCTCvf:MqAIt0tRPssxRskJCQBL0RNraXCTC
Score1/10 -
-
-
Target
__x64___setup___x32__/vmrdvcore/perfctrs.dll
-
Size
46KB
-
MD5
9d8502eab14478df7cb3b764e8890ed2
-
SHA1
77fc6eee247a35b0eb2b1683503cd9ee3fb52793
-
SHA256
5a21833091835de5d1d3d40579b0b4ef1d442f9843568a7696da7804f76207cf
-
SHA512
c47be028b662596e92baad3bec79eb34a802f762c5695c7a486882a59ff0a3a0341e592f5ff2f506d126bb9593d622dc28a9acba07456a5e2613a0c1152c403a
-
SSDEEP
384:p9sm0BwREQtSU0sUI4TDX5KuX4o0Bi+5NaRCIvN9q0p5yNpEGBoQ4f09XGboaVmc:KPU0sXc73+5URCgNygADNcboPkNJzXl
Score1/10 -
-
-
Target
__x64___setup___x32__/vmrdvcore/tapisrv.dll
-
Size
309KB
-
MD5
20ceaece4ecdebc89c82f1998696d596
-
SHA1
c5d390d27b4859bd9cf267b539ad80b04bc78328
-
SHA256
439559de34be096824cb70a97524e843ce2802092a9c882167f4cb08fe9664a7
-
SHA512
a057dfffa9a7752b4747cbcf3db62c1eb7d54826f56932b21f8c097037a93c8d745151c4a7fbd114826b6a708f17b556d8125d513b407933e736434e6a868222
-
SSDEEP
6144:6X4cpoiSX8F/u6/1YbCtgRUSXEF1LLWdYiL6aosUJ4P3yzbsYo:bcpoidFfYbCW7UF1LLWqmZY
Score1/10 -
-
-
Target
__x64___setup___x32__/vmrdvcore/vmrdvcore.dll
-
Size
448KB
-
MD5
c13f52b8a6dad68ea53449f82656b0ff
-
SHA1
8b71c7aeb4e31152c275fa4c1ca392dc87154406
-
SHA256
205d81f292a54c6583e4dffc26922690e5771cb9cbcdea8193f3b37a5deb50b0
-
SHA512
2a22a55a9dcb94424c07a1209e1daa85532be7a4b30f8ae9848772518ca0ff932ac171661057f73e39a22433f09cec5e8a9be9792b8c25c7d550643ac2d582dc
-
SSDEEP
6144:s/QgOQa/pXgnyqe+YP6CJSJ/MWF++WbhT+0WPSn0Eh3qLBp5HVVTClD83FLOsxtw:sHYSYPR6/z+Z5DOBpF//7/Y5
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1