Analysis
-
max time kernel
30s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
github-setup.exe
Resource
win10v2004-20231215-en
General
-
Target
github-setup.exe
-
Size
58.1MB
-
MD5
37138f5563de22dc827639ca73063932
-
SHA1
ba6f56d95bd61cbfddbcb8c0e02d9c415fa6954d
-
SHA256
bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0
-
SHA512
a574ceaeb9c3d63c2b5c63d6451df4ba003cf090b8e9b4893b5d8d87c40123e519c4bf212bf3993e7930d846574d84df9fc94916beec826c9b7eaccc295c8ecd
-
SSDEEP
393216:e1+zCer/QHn+T97auZqB1Jno6L/edodWDJNVI+v:e1+zCekHn+T97auZqlo6Kdb1NVI+
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1636 created 2704 1636 BitLockerToGo.exe 62 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 636 set thread context of 1636 636 github-setup.exe 97 -
Program crash 2 IoCs
pid pid_target Process procid_target 4548 1636 WerFault.exe 97 3532 1636 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1636 BitLockerToGo.exe 1636 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 636 wrote to memory of 1636 636 github-setup.exe 97 PID 636 wrote to memory of 1636 636 github-setup.exe 97 PID 636 wrote to memory of 1636 636 github-setup.exe 97 PID 636 wrote to memory of 1636 636 github-setup.exe 97 PID 636 wrote to memory of 1636 636 github-setup.exe 97 PID 1636 wrote to memory of 4460 1636 BitLockerToGo.exe 100 PID 1636 wrote to memory of 4460 1636 BitLockerToGo.exe 100 PID 1636 wrote to memory of 4460 1636 BitLockerToGo.exe 100 PID 1636 wrote to memory of 4460 1636 BitLockerToGo.exe 100 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 3780 wrote to memory of 2364 3780 firefox.exe 101 PID 1636 wrote to memory of 4460 1636 BitLockerToGo.exe 100
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2704
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\github-setup.exe"C:\Users\Admin\AppData\Local\Temp\github-setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 4363⤵
- Program crash
PID:4548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 4603⤵
- Program crash
PID:3532
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:2364
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.0.1342496028\443047022" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdaf628-6e1b-42fb-8eb6-ba77d1e90e72} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1844 2039d108158 gpu3⤵PID:2944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.1.2024149280\1657581628" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74b11a8-b275-4e3c-bcf1-cb12eae7b157} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2288 2039bce3b58 socket3⤵PID:4056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.2.2123370429\678295021" -childID 1 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {849c7fd9-e3b6-43a5-8368-2c984cd167c4} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 3792 2039ffbe258 tab3⤵PID:412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.3.1191035124\1341348667" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 4032 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a734297-27dc-4768-9d4b-5b924568d935} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4024 2039f8e8958 tab3⤵PID:4832
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.4.2100368506\1107902488" -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa8b3a2-55d5-42c2-8a11-8843b05ec1e7} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4468 203a1d49b58 tab3⤵PID:556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1636 -ip 16361⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1636 -ip 16361⤵PID:3384
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5cfdd7da662f752b9bc5f6dc0a88ea65c
SHA12c529c155c48c35dace029e771440426c16f6d5a
SHA25619e67863b3f6affa15d7cc1b229d1c006b5edf0ab673c5a5b4e01412acd9a419
SHA5129e0096f1c0ab065dc2546455cdb8a3c3e287e38f23df1ed20ca971b47c2a7bc516e7b6add85f6e2389e46a57b88d5c63d822f88302c958fa066a13db73c99e82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\14dbc98a-a07e-4793-bb5d-ccdf2261d3f6
Filesize746B
MD51aa91f27939c41d002d02dfcb5bf3b5c
SHA1dda8fe1eeeee070abd90127ac17f2f6929bb9bfc
SHA256ce2863b61aa0d0e7b711bbcea8ab8896fe193248a911f5cf6a0c286c0216c807
SHA5129f3d635ac1f44b0ae0501955067f0850ca737a4dc4d5f84238f1f7d14c362a3d5c41a9ca8cd6ce56ab30de772c42c111ea6655c6da23e4a03a60326a33a3b0e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\9f7218aa-9ce9-49bd-b7ed-121e6718f9f8
Filesize11KB
MD551f007a6d9b047e20cdd7f8b18f0f859
SHA1e44bbff4edfb33d1b8ae6d779a813248dbc7fa2e
SHA2565b754a7282a4e5d58725af6e9e22b41070ff8c196b1ae04b72edbfe01274b3bd
SHA512a1cd72f44c6f875417820cc134f48246152764f218efb7ad9e440ac869824237e983bf9380c5f732eb1af4269fbd1688f412f23212ed56d771606578256b26ba
-
Filesize
6KB
MD548b1ffb9527870b40b57528fc4686c50
SHA1ce135b557b1d11438249067bc357e2aec2e9c0dd
SHA25618d4602babf1574513806174b655e12dc1971fe2dc815b2b3f166f07e46165be
SHA5124a299c128f87e14183847040b1281fa25f633e1058d49e3b2c9eeb457b61b179d49abb1674de93a5242c0aa42f6bf6569f368d6f6de389efaea1b8f3716f6093