Analysis Overview
SHA256
63043e1230b491042c4a30039ae44055b99134597aaf5f659822dc321489992d
Threat Level: Known bad
The file b1a344376e55c7c93928dd79e69f9aa3.exe was found to be: Known bad.
Malicious Activity Summary
Aurora
Detect rhadamanthys stealer shellcode
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-21 14:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-21 14:26
Reported
2023-01-21 14:28
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe
"C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sajqp6xlt4oak8xaoghtzrj1iidv.xgymuq24utoehew1 | udp |
Files
memory/1516-54-0x0000000075C81000-0x0000000075C83000-memory.dmp
memory/1516-55-0x0000000002770000-0x0000000002C6F000-memory.dmp
memory/1516-56-0x000000000C6F0000-0x000000000EC1A000-memory.dmp
memory/1516-57-0x000000000C6F0000-0x000000000EC1A000-memory.dmp
memory/1516-58-0x0000000002770000-0x0000000002C6F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-21 14:26
Reported
2023-01-21 14:28
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Aurora
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1336 created 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | C:\Windows\system32\taskhostw.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1336 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe
"C:\Users\Admin\AppData\Local\Temp\b1a344376e55c7c93928dd79e69f9aa3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sajqp6xlt4oak8xaoghtzrj1iidv.xgymuq24utoehew1 | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | flyzone.duckdns.org | udp |
| N/A | 46.105.147.137:8081 | flyzone.duckdns.org | tcp |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1336-135-0x0000000002F80000-0x000000000347F000-memory.dmp
memory/1336-136-0x000000000E750000-0x0000000010C7A000-memory.dmp
memory/1336-137-0x000000000E750000-0x0000000010C7A000-memory.dmp
memory/1960-138-0x0000000000000000-mapping.dmp
memory/1960-139-0x0000000000400000-0x000000000089C000-memory.dmp
memory/1960-141-0x0000000000400000-0x000000000089C000-memory.dmp
memory/1960-143-0x0000000000400000-0x000000000089C000-memory.dmp
memory/1960-144-0x0000000000400000-0x000000000089C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240576375.dll
| MD5 | acf51213c2e0b564c28cf0db859c9e38 |
| SHA1 | 0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0 |
| SHA256 | 643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7 |
| SHA512 | 15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed |
memory/1336-146-0x0000000002F80000-0x000000000347F000-memory.dmp
memory/4276-147-0x0000000000450000-0x0000000000485000-memory.dmp
memory/4276-148-0x0000000000000000-mapping.dmp
memory/740-149-0x0000000000000000-mapping.dmp
memory/1336-150-0x000000000E750000-0x0000000010C7A000-memory.dmp
memory/4276-151-0x0000000000450000-0x0000000000485000-memory.dmp
memory/4544-152-0x0000000000000000-mapping.dmp
memory/3992-153-0x0000000000000000-mapping.dmp
memory/4276-154-0x0000000000785000-0x0000000000787000-memory.dmp
memory/3872-155-0x0000000000000000-mapping.dmp
memory/4916-156-0x0000000000000000-mapping.dmp
memory/4276-157-0x0000000000785000-0x0000000000787000-memory.dmp
memory/4276-158-0x0000000000750000-0x000000000076D000-memory.dmp
memory/4276-159-0x0000000002610000-0x0000000003610000-memory.dmp
memory/4276-160-0x0000000000450000-0x0000000000485000-memory.dmp
memory/4276-161-0x0000000000750000-0x000000000076D000-memory.dmp
memory/1336-162-0x0000000002F80000-0x000000000347F000-memory.dmp
memory/1960-163-0x0000000000400000-0x000000000089C000-memory.dmp