Managed XDR

home-petik-ss-malware-...oxif_rhadamanthys_stop — malware analysis report

File info

Filename
home-petik-ss-malware-2025-12-30_9378f8c1f26c710c76c65386b0f37dbf_cobalt-strike_elex_floxif_rhadamanthys_stop
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
208.9 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
880776088dd434c29731ede0503aeff1cc0431de
SHA256
3dcaf7b006bdb2621b6045130accaf2072c3c67135a393fea48318642be1d735
MD5
9378f8c1f26c710c76c65386b0f37dbf

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

Persistence

T1543.003 creates_service: Creates a service, that will start automatically
T1546.010 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically
T1546.010 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
T1003.001 dumps_lsass: Dumps lsass.exe process (probably, to extract credentials)

Discovery

T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
driver_load: Loads a driver
require_administrator: Requests administrator privileges
has_pdb: This executable file has a PDB path
test_check_service: Starts services
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
open_winlogon_process: Trying to open winlogon process
Managed XDR