Analysis

  • max time kernel
    30s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/02/2024, 17:27

General

  • Target

    github-setup.exe

  • Size

    58.1MB

  • MD5

    37138f5563de22dc827639ca73063932

  • SHA1

    ba6f56d95bd61cbfddbcb8c0e02d9c415fa6954d

  • SHA256

    bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0

  • SHA512

    a574ceaeb9c3d63c2b5c63d6451df4ba003cf090b8e9b4893b5d8d87c40123e519c4bf212bf3993e7930d846574d84df9fc94916beec826c9b7eaccc295c8ecd

  • SSDEEP

    393216:e1+zCer/QHn+T97auZqB1Jno6L/edodWDJNVI+v:e1+zCekHn+T97auZqlo6Kdb1NVI+

Score
10/10

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2704
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
          PID:4460
      • C:\Users\Admin\AppData\Local\Temp\github-setup.exe
        "C:\Users\Admin\AppData\Local\Temp\github-setup.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 436
            3⤵
            • Program crash
            PID:4548
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 460
            3⤵
            • Program crash
            PID:3532
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
            PID:2364
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.0.1342496028\443047022" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdaf628-6e1b-42fb-8eb6-ba77d1e90e72} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1844 2039d108158 gpu
              3⤵
                PID:2944
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.1.2024149280\1657581628" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74b11a8-b275-4e3c-bcf1-cb12eae7b157} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2288 2039bce3b58 socket
                3⤵
                  PID:4056
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.2.2123370429\678295021" -childID 1 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {849c7fd9-e3b6-43a5-8368-2c984cd167c4} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 3792 2039ffbe258 tab
                  3⤵
                    PID:412
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.3.1191035124\1341348667" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 4032 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a734297-27dc-4768-9d4b-5b924568d935} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4024 2039f8e8958 tab
                    3⤵
                      PID:4832
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.4.2100368506\1107902488" -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa8b3a2-55d5-42c2-8a11-8843b05ec1e7} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4468 203a1d49b58 tab
                      3⤵
                        PID:556
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1636 -ip 1636
                    1⤵
                      PID:1308
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1636 -ip 1636
                      1⤵
                        PID:3384

                      Network

                            MITRE ATT&CK Matrix

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin

                              Filesize

                              2KB

                              MD5

                              cfdd7da662f752b9bc5f6dc0a88ea65c

                              SHA1

                              2c529c155c48c35dace029e771440426c16f6d5a

                              SHA256

                              19e67863b3f6affa15d7cc1b229d1c006b5edf0ab673c5a5b4e01412acd9a419

                              SHA512

                              9e0096f1c0ab065dc2546455cdb8a3c3e287e38f23df1ed20ca971b47c2a7bc516e7b6add85f6e2389e46a57b88d5c63d822f88302c958fa066a13db73c99e82

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\14dbc98a-a07e-4793-bb5d-ccdf2261d3f6

                              Filesize

                              746B

                              MD5

                              1aa91f27939c41d002d02dfcb5bf3b5c

                              SHA1

                              dda8fe1eeeee070abd90127ac17f2f6929bb9bfc

                              SHA256

                              ce2863b61aa0d0e7b711bbcea8ab8896fe193248a911f5cf6a0c286c0216c807

                              SHA512

                              9f3d635ac1f44b0ae0501955067f0850ca737a4dc4d5f84238f1f7d14c362a3d5c41a9ca8cd6ce56ab30de772c42c111ea6655c6da23e4a03a60326a33a3b0e5

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\9f7218aa-9ce9-49bd-b7ed-121e6718f9f8

                              Filesize

                              11KB

                              MD5

                              51f007a6d9b047e20cdd7f8b18f0f859

                              SHA1

                              e44bbff4edfb33d1b8ae6d779a813248dbc7fa2e

                              SHA256

                              5b754a7282a4e5d58725af6e9e22b41070ff8c196b1ae04b72edbfe01274b3bd

                              SHA512

                              a1cd72f44c6f875417820cc134f48246152764f218efb7ad9e440ac869824237e983bf9380c5f732eb1af4269fbd1688f412f23212ed56d771606578256b26ba

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs.js

                              Filesize

                              6KB

                              MD5

                              48b1ffb9527870b40b57528fc4686c50

                              SHA1

                              ce135b557b1d11438249067bc357e2aec2e9c0dd

                              SHA256

                              18d4602babf1574513806174b655e12dc1971fe2dc815b2b3f166f07e46165be

                              SHA512

                              4a299c128f87e14183847040b1281fa25f633e1058d49e3b2c9eeb457b61b179d49abb1674de93a5242c0aa42f6bf6569f368d6f6de389efaea1b8f3716f6093

                            • memory/636-6-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp

                              Filesize

                              58.9MB

                            • memory/636-2-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp

                              Filesize

                              58.9MB

                            • memory/1636-11-0x0000000003E90000-0x0000000004290000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/1636-13-0x0000000003E90000-0x0000000004290000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/1636-12-0x0000000003E90000-0x0000000004290000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/1636-14-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/1636-17-0x0000000003E90000-0x0000000004290000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/1636-16-0x00000000765B0000-0x00000000767C5000-memory.dmp

                              Filesize

                              2.1MB

                            • memory/1636-31-0x0000000003E90000-0x0000000004290000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/1636-9-0x0000000000E10000-0x0000000000E98000-memory.dmp

                              Filesize

                              544KB

                            • memory/1636-8-0x0000000000E10000-0x0000000000E98000-memory.dmp

                              Filesize

                              544KB

                            • memory/1636-5-0x0000000000E10000-0x0000000000E98000-memory.dmp

                              Filesize

                              544KB

                            • memory/4460-18-0x0000000000910000-0x0000000000919000-memory.dmp

                              Filesize

                              36KB

                            • memory/4460-25-0x00000000765B0000-0x00000000767C5000-memory.dmp

                              Filesize

                              2.1MB

                            • memory/4460-30-0x0000000002720000-0x0000000002B20000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/4460-23-0x0000000002720000-0x0000000002B20000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/4460-22-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/4460-21-0x0000000002720000-0x0000000002B20000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/4460-20-0x0000000002720000-0x0000000002B20000-memory.dmp

                              Filesize

                              4.0MB