| File name: | mmpack.exe.zip |
| Full analysis: | https://app.any.run/tasks/2dbe507f-fd21-49ba-a459-581ea64f15df |
| Verdict: | Malicious activity |
| Threats: | Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. |
| Analysis date: | January 08, 2024, 02:26:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 53663B9EB1E132A5A3EE1E6490908646 |
| SHA1: | C96448B6FA4EEDC99079C2B8A9FB3D060F2FB4DB |
| SHA256: | D0DE2017AC74A3C5D7F2EC8EC25DA1F11C59BDC61C70D950D74193635EC7F99E |
| SSDEEP: | 98304:82N0pd/pxojZWJ6sw3HTxh2M5wP+pYUXX8XgLzLzEBXIXpT0/eyKU20yaRhpv4Vi:aaziCSnERXV05h |
MALICIOUS
Actions looks like stealing of personal data
- dialer.exe (PID: 1804)
SUSPICIOUS
The process checks if it is being run in the virtual environment
- dialer.exe (PID: 1804)
Searches for installed software
- dialer.exe (PID: 1804)
Reads browser cookies
- dialer.exe (PID: 1804)
Accesses Microsoft Outlook profiles
- dialer.exe (PID: 1804)
Loads DLL from Mozilla Firefox
- dialer.exe (PID: 1804)
INFO
Manual execution by a user
- mmpack.exe (PID: 572)
Checks supported languages
- mmpack.exe (PID: 572)
- WeMod.exe (PID: 1236)
- RegAsm.exe (PID: 1624)
- wmpenc.exe (PID: 2304)
Reads the computer name
- mmpack.exe (PID: 572)
- WeMod.exe (PID: 1236)
- RegAsm.exe (PID: 1624)
Creates files or folders in the user directory
- mmpack.exe (PID: 572)
Reads the machine GUID from the registry
- RegAsm.exe (PID: 1624)
- wmpenc.exe (PID: 2304)
RHADAMANTHYS has been detected (SURICATA)
- dialer.exe (PID: 1804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 788 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:01:05 07:20:26 |
| ZipCRC: | 0x26a6468b |
| ZipCompressedSize: | 7151749 |
| ZipUncompressedSize: | 826909584 |
| ZipFileName: | mmpack.exe |
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mmpack.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 572 | "C:\Users\admin\Desktop\mmpack.exe" | C:\Users\admin\Desktop\mmpack.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1236 | C:\Users\admin\AppData\Roaming\WeMod.exe | C:\Users\admin\AppData\Roaming\WeMod.exe | — | mmpack.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® HTML Help Executable Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1624 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | WeMod.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 1804 | "C:\Windows\system32\dialer.exe" | C:\Windows\System32\dialer.exe | RegAsm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Phone Dialer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2248 | "C:\Windows\system32\dllhost.exe" | C:\Windows\System32\dllhost.exe | wmpenc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2304 | "C:\Program Files\Windows Media Player\wmpenc.exe" | C:\Program Files\Windows Media Player\wmpenc.exe | — | dialer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Player Encoder Helper Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 720
Read events
2 711
Write events
9
Delete events
0
Modification events
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.28266\mmpack.exe | — | |
MD5:— | SHA256:— | |||
| 572 | mmpack.exe | C:\Users\admin\AppData\Roaming\1337.exe | — | |
MD5:— | SHA256:— | |||
| 572 | mmpack.exe | C:\Users\admin\AppData\Roaming\WeMod.exe | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
1
Threats
13
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1804 | dialer.exe | 91.92.250.176:443 | api.assasasasasas.shop | — | BG | unknown |
2248 | dllhost.exe | 95.217.82.39:443 | — | Hetzner Online GmbH | FI | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.assasasasasas.shop |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1804 | dialer.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 7 |
1804 | dialer.exe | A Network Trojan was detected | STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s |
11 ETPRO signatures available at the full report