Analysis Overview
SHA256
4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Detects LgoogLoader payload
LgoogLoader
Rhadamanthys
Detect rhadamanthys stealer shellcode
Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-26 17:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-26 17:04
Reported
2023-01-26 17:06
Platform
win7-20221111-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | vufunhhihjaoueenfclms8.o3yc9sxi0hsjteqcg93blo6bvyjgmo | udp |
Files
memory/1780-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
memory/1780-55-0x000000000DAA0000-0x000000000DDCE000-memory.dmp
memory/1780-56-0x0000000000810000-0x000000000099C000-memory.dmp
memory/1780-57-0x000000000DAA0000-0x000000000DDCE000-memory.dmp
memory/1780-58-0x0000000000810000-0x000000000099C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-26 17:04
Reported
2023-01-26 17:06
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
126s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LgoogLoader
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2372 created 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\system32\taskhostw.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 528
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | vufunhhihjaoueenfclms8.o3yc9sxi0hsjteqcg93blo6bvyjgmo | udp |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2372-132-0x00000000029B0000-0x0000000002B3C000-memory.dmp
memory/2372-133-0x000000000F320000-0x000000000F64E000-memory.dmp
memory/2372-134-0x000000000F320000-0x000000000F64E000-memory.dmp
memory/4864-136-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4864-135-0x0000000000000000-mapping.dmp
memory/4864-138-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4864-139-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4864-140-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4864-141-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/4864-142-0x0000000000610000-0x000000000061D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240579250.dll
| MD5 | 7f179879ed169f8d23cc45eb8b614223 |
| SHA1 | f9eca73b9ce26c80c5f2ea52c9927233550e0bba |
| SHA256 | 0bf6b31919f7896b2945415957fe61040e1f17bb9b0482c01ee3c12d598feb94 |
| SHA512 | 42a4ce55bc08d1621b732368c9a7be3f65deb0675894ca546189b86b954bef8e45824eabaad32c9e2c48ca1deeae1c6d294c7118d38ecc26f2dee22d11fdd458 |
memory/2252-144-0x0000000000500000-0x0000000000535000-memory.dmp
memory/2252-145-0x0000000000000000-mapping.dmp
memory/2252-146-0x0000000000500000-0x0000000000535000-memory.dmp
memory/2252-147-0x0000000000883000-0x0000000000886000-memory.dmp
memory/2252-148-0x00000000022A0000-0x00000000022BD000-memory.dmp
memory/2252-149-0x00000000028A0000-0x00000000038A0000-memory.dmp
memory/2372-150-0x00000000029B0000-0x0000000002B3C000-memory.dmp
memory/2372-151-0x000000000F320000-0x000000000F64E000-memory.dmp
memory/2252-152-0x0000000000500000-0x0000000000535000-memory.dmp
memory/2252-153-0x00000000022A0000-0x00000000022BD000-memory.dmp
memory/2372-154-0x00000000029B0000-0x0000000002B3C000-memory.dmp