Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2024, 12:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
474KB
-
MD5
f3912a40a9803c00483e262601290abb
-
SHA1
d75486f5e418802aecbe8199c64d67c45ffa001f
-
SHA256
33b58cc2d64611459673bee5b1a4ae49db540c61b2e4f4872bbfd68e175954f1
-
SHA512
519a2bed606b36a75fbb8bd64df24d892f3461471d21870b2ba9ec1fe0e7774d9ebf6d7fa77bd1e0b10842bae1c2c439dd8e7618454444afd7fe6c4646b86d78
-
SSDEEP
12288:q1jaxEe3eYeEP7+GhvbrnPA+B3E5f7Mn:m/eZeEPyGhPPFuyn
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1108 created 2532 1108 tmp.exe 37 -
Program crash 1 IoCs
pid pid_target Process procid_target 4696 1108 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1108 tmp.exe 1108 tmp.exe 3780 dialer.exe 3780 dialer.exe 3780 dialer.exe 3780 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1108 wrote to memory of 3780 1108 tmp.exe 84 PID 1108 wrote to memory of 3780 1108 tmp.exe 84 PID 1108 wrote to memory of 3780 1108 tmp.exe 84 PID 1108 wrote to memory of 3780 1108 tmp.exe 84 PID 1108 wrote to memory of 3780 1108 tmp.exe 84
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2532
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 4682⤵
- Program crash
PID:4696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1108 -ip 11081⤵PID:1120