Rhadamanthys
Scenario
On 8 April 2026, a targeted social-engineering campaign tricked user christian into executing a malicious document retrieved from the internet. Opening the document triggered remote code execution and kicked off a full attack chain — AD enumeration, privilege escalation via account pivot, LSASS credential dumping, and ultimately deployment of the Rhadamanthys Stealer DLL. The beachhead host sits outside SIEM coverage, so the entire investigation relies on a KAPE-collected disk image: MFT records, Prefetch artefacts, LNK files, and Sysmon operational logs to reconstruct the timeline.
Methodology
Triage — Establishing the Artefact Set
The KAPE image (SO-07_Disk) provides the full C:\ volume of a domain-joined Windows host (SO-07.corp.socivioco.local). Four accounts show 8 April 2026 activity in the users directory — christian, Administrator, soci.admin, and roby — with christian and soci.admin both modified at 7:48 PM, bracketing the incident window and hinting at an account pivot during the intrusion.
Three artefact sources drive the majority of findings: Sysmon operational logs parsed through EvtxECmd into Timeline Explorer for process creation and network events, LECmd for LNK file delivery path confirmation, and PECmd for Prefetch execution history and run counts.
EvtxECmd.exe -f "C:\...\SO-07_Disk\C\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csvf .
A Note on Methodology
The intended artefact path for this lab — signalled by the tool list — is MFT-first. Running MFTECmd against $MFT and loading the output into Timeline Explorer produces a chronological file creation timeline across the entire 8 April window, surfacing every dropped binary in sequence without touching event logs. LECmd then confirms the delivery path, PECmd handles execution counts, and Sysmon fills the gaps where file artefacts alone can’t answer — PIDs, parent-child relationships, command lines, and network connections.
In practice this investigation went Sysmon-first, which still got there but required more work — decoding obfuscated blobs and scrolling process creation events to find files the MFT would have surfaced in a single sorted pass. The tool list on a CyberDefenders lab is worth reading as a methodology hint before opening anything: EZ Tools listed together means the intended workflow is MFTECmd → Timeline Explorer → LECmd → PECmd, with event logs as a secondary source rather than the primary one.
Initial Access — Malicious Document Delivery
Office Recent LNK files at C:\Users\christian\AppData\Roaming\Microsoft\Office\Recent\ surface seven shortcuts. The filenames are education-themed — consistent with christian being a teacher — with the lure designed to blend in rather than create urgency. Copy of Beginning the Year Webinar-Reflection Questions sits alongside genuine classroom resources, making it far less suspicious than a legal threat document.
Running LECmd against the shortcut confirms delivery path and timestamps:
LECmd.exe -f "C:\...\AppData\Roaming\Microsoft\Office\Recent\Copy of Beginning the Year Webinar-Reflection Questions.LNK"
The LNK resolves to C:\Users\christian\Downloads\Copy of Beginning the Year Webinar-Reflection Questions.docx. MFT timestamps show the file landed on disk at 2026-04-08 05:39:36 — likely when the email attachment was saved — and was last accessed at 2026-04-08 14:19:30 when Word opened it. The nine-hour gap between download and execution is consistent with a real user receiving a phishing email in the morning and opening it later in the day.
Execution — rundll32.exe Spawned by WINWORD
Filtering the parsed Sysmon CSV in Timeline Explorer for Event ID 1 with WINWORD in the search field surfaces the child process spawned at the moment the document opened:
C:\Windows\SysWOW64\rundll32.exe (PID 2064) spawned directly under WINWORD.EXE (PID 5284) at 2026-04-08 14:19:30 — the same second as the LNK last-access timestamp. Legitimate Word usage does not spawn rundll32, making this parent-child relationship an unambiguous indicator of embedded malicious code execution.
The full cell detail confirms the process ran as CORP\christian with user-level integrity.
C2 — Initial Callback
Switching the Timeline Explorer filter to Event ID 3 (Network Connection) and searching for PID 2064 surfaces the C2 callback:
rundll32.exe (PID 2064) connected outbound over TCP port 80 to 35.158.196.73 — unencrypted HTTP C2, which explains why no TLS fingerprinting is available. The Sysmon rule tagged this technique_id=T1218.011, technique_name=Rundll32, consistent with a LOLBIN-based stager using the legitimate Microsoft binary to blend into process telemetry.
Discovery Phase 1 — Post-Shell Reconnaissance
With a C2 shell established, the attacker’s first action was identity confirmation. cmd.exe (PID 14228) spawned by rundll32 PID 2064 ran whoami at 2026-04-08 14:27 — standard operating procedure before any further action.
The attacker then dropped SharpHound renamed to hh.exe into the Windows Themes folder — a plausible-looking path for a binary named after the legitimate Windows HTML Help executable. The flags in the command line give it away completely:
C:\Users\christian\AppData\Roaming\Microsoft\Windows\Themes\hh.exe -c All --outputdirectory C:\Users\christian\AppData\Local\Temp --zippassword "P@$$w0rd"
-c All triggers full BloodHound collection — sessions, ACLs, trusts, group memberships, and local admin relationships. The output zip is password-protected with P@$$w0rd before exfiltration. The PE OriginalFilename field confirms the binary as SharpHound.exe despite the rename.
Before escalating, the attacker also ran an encoded PowerShell blob hunting for cleartext credentials in Windows deployment files — unattend.xml, sysprep.inf, and sysprep.xml — locations where imaging credentials are frequently left behind. Decoding the Base64/UTF-16LE blob in CyberChef reveals:
"C:\\unattend.xml", "C:\\Windows\\Panther\\Unattend.xml", ... | Where-Object { Test-Path $_ } | ForEach-Object { Get-Item $_ }
Privilege Escalation — Account Pivot to soci.admin
At 2026-04-08 15:08:41, a new rundll32.exe instance spawned with High integrity under the CORP\soci.admin account — a different identity from the initial CORP\christian shell. The parent was still the user-context rundll32 (PID 2064), indicating the attacker used dd.ps1 (dropped to C:\Users\christian\AppData\Roaming\Microsoft\Windows\Libraries\) as the escalation mechanism to pivot into the soci.admin account with elevated rights.
At 2026-04-08 15:44, the elevated session dropped 4fcadae.exe to the ADMIN$ share and used it to spawn additional elevated rundll32 processes for post-exploitation staging:
Writing to \\127.0.0.1\ADMIN$\ requires administrative rights, confirming the escalation was complete before this write occurred.
Persistence — schshell.exe and Scheduled Task
With SYSTEM-level access established, the attacker wrote schshell.exe to C:\Windows\SysWOW64\ — a path only writable from a SYSTEM context — via Event ID 11 file creation:
A scheduled task was then registered to relaunch schshell.exe hourly. The schtasks command line was Base64/UTF-16LE encoded; decoding in CyberChef reveals:
schtasks /create /tn "schadule.sys" /tr "C:\Windows\system32\schshell.exe" /sc hourly
The task name schadule.sys is a deliberate typo — close enough to schedule to avoid a casual glance but different enough to evade string-based detection rules. The .sys extension further blurs the entry in task listings.
Discovery Phase 2 — Network Enumeration
With persistence in place, schshell.exe issued a second wave of network discovery via encoded PowerShell. Two cmdlets were decoded from separate Base64/UTF-16LE blobs:
Get-NetIPConfiguration | Format-Table InterfaceAlias, InterfaceDescription, IPv4Address, IPv4DefaultGateway, DNSServer -AutoSize
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, @{Name="ProcessName";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
Get-NetIPConfiguration maps the interface configuration, gateway, and DNS servers. Get-NetTCPConnection enumerates all established TCP connections with their owning process names — together they give the attacker a complete network posture picture before lateral movement.
During this phase the attacker also added Defender exclusions from ExterroExclusions.txt via Add-MpPreference, ran KAPE against the full volume (kape.exe --tsource C: --tdest ... --target !SANS_Triage), mapped a remote share at \\35.156.233.141\drop using credentials syncuser:Passw0rd!, and used Robocopy to exfiltrate the collected data.
Credential Access — LSASS Dump via Renamed Procdump
schshell.exe dropped procdump.exe renamed to pc.exe into C:\Windows\system32\ and executed it against lsass:
C:\Windows\system32\pc.exe -accepteula -ma lsass.exe lsass.dmp
-accepteula silently bypasses the Sysinternals EULA prompt. -ma produces a full memory dump. The rename to pc.exe is a simple evasion — many EDR products and SIEM rules key on the string procdump in process names and command lines. The output lsass.dmp contains all credential material accessible to the OS at dump time.
C2 Rebeacon — jobUpdater.exe and Rhadamanthys Loader
Following the credential dump, schshell.exe dropped jobUpdater.exe to C:\Program Files\ — again requiring elevated write access — and executed it:
jobUpdater.exe then dropped intersteller.exe to C:\Users\soci.admin\AppData\Local\Temp\ as its child process:
intersteller.exe is the Rhadamanthys Loader (SHA256: AF04EE03D69A7962FA5350D0DF00FAFC4AE85A07DFF32F99F0D8D63900A47466). Parsing its Prefetch file with PECmd reveals it was executed four times between 17:00 and 17:15 — consistent with retry logic while the loader attempts to reach its staging server:
PECmd.exe -f "C:\...\SO-07_Disk\C\Windows\prefetch\INTERSTELLER.EXE-0FFF75E3.pf"
Run timestamps: 17:00:39, 17:03:23, 17:07:23, 17:15:47. VirusTotal enrichment on the hash places the PE compilation timestamp at 2022-08-22 14:14 with first seen in the wild at 2023-01-04 15:16 — a sample over two years old at the time of this intrusion.
Final Stage — Rhadamanthys Stealer DLL
Once the loader successfully retrieved its next-stage payload, nsis_uns3a98f.dll appeared on disk at C:\Users\soci.admin\AppData\Roaming\ and was executed via rundll32.exe with the PrintUIEntry export:
"C:\Windows\system32\rundll32.exe" C:\Users\soci.admin\AppData\Roaming\nsis_uns3a98f.dll,PrintUIEntry
PrintUIEntry is a legitimate exported function from the Windows print UI DLL — using it as the entry point allows the stealer to execute within the rundll32 process context while appearing to invoke a benign system function. The DLL (SHA256: 92A7C3296A561FB39798F821173E69D1FEFF44FF3A84CAA4C6BB890945E79488) is the Rhadamanthys Stealer, capable of harvesting browser credentials, cryptocurrency wallets, and session tokens.
Attack Summary
| Phase | Action |
|---|---|
| Delivery | Phishing email delivers Copy of Beginning the Year Webinar-Reflection Questions.docx to christian’s Downloads folder |
| Execution | WINWORD.EXE spawns rundll32.exe (PID 2064); C2 callback to 35.158.196.73:80 |
| Discovery | whoami via cmd.exe (14:27); SharpHound (hh.exe -c All) AD enumeration; unattend.xml credential hunt |
| Privilege Escalation | dd.ps1 pivots from christian to soci.admin (High integrity) at 15:08; 4fcadae.exe dropped to ADMIN$ share |
| Persistence | schshell.exe written to C:\Windows\SysWOW64\; scheduled task schadule.sys runs it hourly |
| Discovery Phase 2 | Get-NetIPConfiguration and Get-NetTCPConnection network enumeration; Defender exclusions added |
| Credential Access | procdump.exe renamed pc.exe dumps lsass to lsass.dmp |
| C2 Rebeacon | schshell.exe drops jobUpdater.exe → intersteller.exe (Rhadamanthys Loader, 4 executions) |
| Exfiltration | KAPE collection; Robocopy to \\35.156.233.141\drop via syncuser:Passw0rd! |
| Final Payload | nsis_uns3a98f.dll (Rhadamanthys Stealer) executed via rundll32.exe,PrintUIEntry |
IOCs
| Type | Value |
|---|---|
| File (Lure) | Copy of Beginning the Year Webinar-Reflection Questions.docx |
| IP (C2 HTTP) | 35[.]158[.]196[.]73 |
| IP (Exfil Share) | 35[.]156[.]233[.]141 |
| File (SharpHound) | C:\Users\christian\AppData\Roaming\Microsoft\Windows\Themes\hh.exe |
| File (Escalation Script) | C:\Users\christian\AppData\Roaming\Microsoft\Windows\Libraries\dd.ps1 |
| File (Share Binary) | \127.0.0.1\ADMIN$\4fcadae.exe |
| File (Persistence) | C:\Windows\SysWOW64\schshell.exe |
| Scheduled Task | schadule.sys |
| File (LSASS Dumper) | C:\Windows\system32\pc.exe |
| File (C2 Beacon) | C:\Program Files\jobUpdater.exe |
| File (Rhadamanthys Loader) | C:\Users\soci.admin\AppData\Local\Temp\intersteller.exe |
| Hash (Loader SHA256) | AF04EE03D69A7962FA5350D0DF00FAFC4AE85A07DFF32F99F0D8D63900A47466 |
| File (Rhadamanthys Stealer) | C:\Users\soci.admin\AppData\Roaming\nsis_uns3a98f.dll |
| Hash (Stealer SHA256) | 92A7C3296A561FB39798F821173E69D1FEFF44FF3A84CAA4C6BB890945E79488 |
| Credential (Exfil) | syncuser:Passw0rd! |
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| Spearphishing Attachment | T1566.001 | Education-themed .docx delivered via email to target user |
| Malicious File | T1204.002 | User opened Word document triggering embedded code execution |
| Rundll32 | T1218.011 | rundll32.exe used as C2 stager and stealer DLL loader throughout |
| PowerShell | T1059.001 | All post-exploitation commands issued via encoded powershell -Enc blobs |
| Masquerading | T1036.005 | SharpHound renamed hh.exe; procdump renamed pc.exe; schshell.exe mimics system binary |
| Bypass UAC / Access Token Manipulation | T1548.002 | dd.ps1 pivots christian session to elevated soci.admin context |
| Scheduled Task | T1053.005 | schadule.sys task relaunches schshell.exe hourly for persistence |
| LSASS Memory | T1003.001 | procdump (pc.exe) dumps lsass.exe to lsass.dmp |
| Network Service Discovery | T1046 | Get-NetIPConfiguration and Get-NetTCPConnection enumerate host network posture |
| Ingress Tool Transfer | T1105 | SharpHound, procdump, jobUpdater, intersteller.exe all dropped post-compromise |
| Archive Collected Data | T1560.001 | SharpHound output zip password-protected with P@$$w0rd before exfil |
| Exfiltration to Cloud Storage | T1048 | Robocopy exfiltrates KAPE collection to attacker SMB share at 35.156.233.141 |
Defender Takeaways
Office macro and child process controls — The entire intrusion chain began with WINWORD.EXE spawning rundll32.exe directly. Attack Surface Reduction (ASR) rule d4f940ab-401b-4efc-aadc-ad5f3c50688a (“Block all Office applications from creating child processes”) would have terminated the kill chain at the first step. This rule is available in any environment running Microsoft Defender with ASR enabled and has minimal legitimate-use impact.
Rename detection for known offensive tools — SharpHound and procdump were both renamed before execution, but neither had their PE headers stripped. Hunting on OriginalFilename fields in Sysmon Event ID 1 (via the FileVersion data block) catches renamed binaries regardless of what they’re called on disk. Both SharpHound.exe and procdump.exe appearing as hh.exe and pc.exe would have fired on this check immediately.
Scheduled task name anomaly detection — The task schadule.sys uses a deliberate typo and a .sys extension — neither is consistent with legitimate Windows scheduled task naming conventions. A simple detection rule flagging tasks registered via schtasks /create where the /tn value contains non-standard extensions (.sys, .dll, .dat) or misspellings of common Windows terms surfaces this class of persistence reliably.
LSASS protection — Enabling RunAsPPL (Protected Process Light) for lsass.exe via HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 would have blocked procdump’s -ma flag entirely, as PPL-protected processes cannot be accessed by non-PPL processes regardless of privilege level. Credential Guard provides a second layer by moving NTLM hashes and Kerberos tickets into an isolated hypervisor-protected enclave that is inaccessible even to SYSTEM.
Egress filtering and SMB share monitoring — The attacker exfiltrated data by mapping \\35.156.233.141\drop over SMB and using Robocopy to transfer the KAPE collection. Outbound SMB (TCP 445) to non-domain destinations should be blocked at the perimeter entirely — there is no legitimate use case for workstations initiating outbound SMB to internet addresses. Alerting on net use commands mapping external shares would have flagged this activity at the point of execution.