Analysis Overview
SHA256
74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
Threat Level: Known bad
The file 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Detect rhadamanthys stealer shellcode
Rhadamanthys
Deletes itself
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-13 09:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-13 09:55
Reported
2023-08-13 09:58
Platform
win7-20230712-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2584 created 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe | C:\Windows\Explorer.EXE |
SystemBC
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1512 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe"
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe
"C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 108
Network
| Country | Destination | Domain | Proto |
| NL | 185.225.73.49:4851 | tcp | |
| NL | 185.225.73.49:4851 | tcp | |
| NL | 185.225.73.49:4851 | tcp |
Files
memory/2584-55-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2584-56-0x0000000000400000-0x0000000002322000-memory.dmp
memory/2584-57-0x0000000003AA0000-0x0000000003B10000-memory.dmp
memory/2584-58-0x00000000001C0000-0x00000000001C7000-memory.dmp
memory/2584-59-0x0000000003D40000-0x0000000004140000-memory.dmp
memory/2584-61-0x0000000003D40000-0x0000000004140000-memory.dmp
memory/2584-60-0x0000000003D40000-0x0000000004140000-memory.dmp
memory/2584-62-0x0000000003D40000-0x0000000004140000-memory.dmp
memory/528-63-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2584-64-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2584-65-0x0000000004810000-0x0000000004846000-memory.dmp
memory/2584-71-0x0000000000400000-0x0000000002322000-memory.dmp
memory/2584-73-0x0000000004810000-0x0000000004846000-memory.dmp
memory/2584-75-0x0000000003D40000-0x0000000004140000-memory.dmp
memory/2584-76-0x0000000000400000-0x0000000002322000-memory.dmp
memory/528-77-0x0000000000060000-0x0000000000063000-memory.dmp
memory/528-78-0x00000000000B0000-0x00000000000B7000-memory.dmp
memory/528-81-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-80-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-79-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-82-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-84-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-86-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-87-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-88-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-89-0x0000000076F90000-0x0000000077139000-memory.dmp
memory/528-90-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-91-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-92-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-93-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/528-95-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/1512-97-0x0000000001010000-0x0000000001153000-memory.dmp
memory/528-98-0x0000000076F90000-0x0000000077139000-memory.dmp
memory/1512-99-0x0000000001010000-0x0000000001153000-memory.dmp
memory/2808-101-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2808-100-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2808-106-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2808-108-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2808-109-0x0000000000090000-0x0000000000097000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
\Users\Admin\AppData\Local\Microsoft\%V98xcQu.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/528-113-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/528-114-0x0000000076F90000-0x0000000077139000-memory.dmp
memory/1512-115-0x0000000001010000-0x0000000001153000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-13 09:55
Reported
2023-08-13 09:58
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2720 created 684 | N/A | C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe | C:\Windows\Explorer.EXE |
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4656 set thread context of 3792 | N/A | C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe"
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 788
C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe
"C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 296
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.138.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| NL | 185.225.73.49:4851 | tcp | |
| US | 8.8.8.8:53 | 49.73.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| NL | 185.225.73.49:4851 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 185.225.73.49:4851 | tcp | |
| NL | 185.225.73.49:4851 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/2720-134-0x0000000002530000-0x0000000002630000-memory.dmp
memory/2720-135-0x00000000024B0000-0x0000000002520000-memory.dmp
memory/2720-136-0x0000000000400000-0x0000000002322000-memory.dmp
memory/2720-137-0x0000000003FD0000-0x0000000003FD7000-memory.dmp
memory/2720-138-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2720-139-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2720-140-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2720-141-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2720-142-0x0000000002530000-0x0000000002630000-memory.dmp
memory/652-143-0x000001E5201D0000-0x000001E5201D3000-memory.dmp
memory/2720-144-0x00000000024B0000-0x0000000002520000-memory.dmp
memory/2720-145-0x0000000004F10000-0x0000000004F46000-memory.dmp
memory/2720-151-0x0000000000400000-0x0000000002322000-memory.dmp
memory/2720-152-0x0000000004F10000-0x0000000004F46000-memory.dmp
memory/2720-153-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2720-155-0x0000000000400000-0x0000000002322000-memory.dmp
memory/2720-156-0x0000000004190000-0x0000000004590000-memory.dmp
memory/652-157-0x000001E5201D0000-0x000001E5201D3000-memory.dmp
memory/652-158-0x000001E520590000-0x000001E520597000-memory.dmp
memory/652-159-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-160-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-161-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-162-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-163-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-165-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-167-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-168-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-169-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-170-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp
memory/652-171-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-172-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-173-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-174-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-175-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp
memory/652-177-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe
| MD5 | 648e1bf1672068d725a9b8434627947e |
| SHA1 | c21e0bd251e33d4464fdd376ae46fe4f01c533cf |
| SHA256 | 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2 |
| SHA512 | c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725 |
memory/4656-180-0x0000000000790000-0x00000000008D3000-memory.dmp
memory/4656-181-0x0000000000790000-0x00000000008D3000-memory.dmp
memory/3792-182-0x0000000000400000-0x0000000000407000-memory.dmp
memory/3792-188-0x0000000000400000-0x0000000000407000-memory.dmp
memory/3792-189-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4656-190-0x0000000000790000-0x00000000008D3000-memory.dmp
memory/652-191-0x000001E520590000-0x000001E520595000-memory.dmp
memory/652-192-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp