Analysis Overview
SHA256
112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Detect rhadamanthys stealer shellcode
Executes dropped EXE
Deletes itself
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-11 05:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-11 05:17
Reported
2023-08-11 05:20
Platform
win7-20230712-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2168 created 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Explorer.EXE |
SystemBC
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2596 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
"C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 108
Network
| Country | Destination | Domain | Proto |
| RU | 193.109.85.76:6623 | tcp | |
| RU | 193.109.85.76:6623 | tcp | |
| RU | 193.109.85.76:6623 | tcp |
Files
memory/2168-54-0x00000000003B0000-0x00000000003F9000-memory.dmp
memory/2168-55-0x0000000001960000-0x00000000019D0000-memory.dmp
memory/2168-56-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/2168-57-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/2168-58-0x00000000003B0000-0x00000000003F9000-memory.dmp
memory/2168-59-0x0000000001960000-0x00000000019D0000-memory.dmp
memory/2168-65-0x00000000001C0000-0x00000000001C7000-memory.dmp
memory/2168-67-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/2168-66-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/2168-68-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/2168-69-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/2900-70-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2168-71-0x00000000031B0000-0x00000000031E6000-memory.dmp
memory/2168-77-0x00000000031B0000-0x00000000031E6000-memory.dmp
memory/2168-78-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/2168-79-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/2900-80-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2900-81-0x0000000000120000-0x0000000000127000-memory.dmp
memory/2900-82-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-83-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-84-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-85-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-87-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-86-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-92-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-91-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-90-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-93-0x0000000076D00000-0x0000000076EA9000-memory.dmp
memory/2900-94-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-95-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-96-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2900-97-0x0000000076D00000-0x0000000076EA9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/2596-100-0x0000000000DD0000-0x0000000000F13000-memory.dmp
memory/2596-101-0x0000000000DD0000-0x0000000000F13000-memory.dmp
memory/2836-102-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2836-104-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2836-109-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2836-111-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2836-112-0x0000000000400000-0x0000000000407000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/2900-116-0x0000000000120000-0x0000000000122000-memory.dmp
memory/2900-117-0x0000000076D00000-0x0000000076EA9000-memory.dmp
memory/2596-118-0x0000000000DD0000-0x0000000000F13000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-11 05:17
Reported
2023-08-11 05:20
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3556 created 3140 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Explorer.EXE |
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\YFd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4772 set thread context of 1572 | N/A | C:\Users\Admin\AppData\Local\Microsoft\YFd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\YFd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 3556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 948
C:\Users\Admin\AppData\Local\Microsoft\YFd.exe
"C:\Users\Admin\AppData\Local\Microsoft\YFd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 308
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| RU | 193.109.85.76:6623 | tcp | |
| US | 8.8.8.8:53 | 76.85.109.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 193.109.85.76:6623 | tcp | |
| RU | 193.109.85.76:6623 | tcp | |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3556-133-0x0000000003530000-0x0000000003579000-memory.dmp
memory/3556-134-0x0000000003580000-0x00000000035F0000-memory.dmp
memory/3556-135-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/3556-136-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/3556-137-0x0000000003530000-0x0000000003579000-memory.dmp
memory/3556-138-0x0000000003580000-0x00000000035F0000-memory.dmp
memory/3556-144-0x00000000001D0000-0x00000000001D7000-memory.dmp
memory/3556-145-0x00000000038F0000-0x0000000003CF0000-memory.dmp
memory/3556-146-0x00000000038F0000-0x0000000003CF0000-memory.dmp
memory/3556-147-0x00000000038F0000-0x0000000003CF0000-memory.dmp
memory/3556-148-0x00000000038F0000-0x0000000003CF0000-memory.dmp
memory/3900-149-0x0000016C60D80000-0x0000016C60D83000-memory.dmp
memory/3556-150-0x0000000004670000-0x00000000046A6000-memory.dmp
memory/3556-157-0x00000000038F0000-0x0000000003CF0000-memory.dmp
memory/3556-156-0x0000000004670000-0x00000000046A6000-memory.dmp
memory/3556-158-0x0000000000400000-0x00000000018F0000-memory.dmp
memory/3900-159-0x0000016C60D80000-0x0000016C60D83000-memory.dmp
memory/3900-160-0x0000016C61020000-0x0000016C61027000-memory.dmp
memory/3900-161-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-162-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-163-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-164-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-165-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-167-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-169-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-170-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-171-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-172-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp
memory/3900-173-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-174-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-175-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp
memory/3900-176-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\YFd.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
C:\Users\Admin\AppData\Local\Microsoft\YFd.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/4772-180-0x00000000008F0000-0x0000000000A33000-memory.dmp
memory/4772-181-0x00000000008F0000-0x0000000000A33000-memory.dmp
memory/1572-182-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1572-188-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1572-189-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4772-190-0x00000000008F0000-0x0000000000A33000-memory.dmp
memory/3900-191-0x0000016C61020000-0x0000016C61025000-memory.dmp
memory/3900-192-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp