Analysis Overview
SHA256
bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0
Threat Level: Known bad
The file github-setup.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-10 17:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-10 17:27
Reported
2024-02-10 17:28
Platform
win10v2004-20231215-en
Max time kernel
30s
Max time network
43s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1636 created 2704 | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | C:\Windows\system32\sihost.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 636 set thread context of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\github-setup.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\github-setup.exe
"C:\Users\Admin\AppData\Local\Temp\github-setup.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1636 -ip 1636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 436
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.0.1342496028\443047022" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdaf628-6e1b-42fb-8eb6-ba77d1e90e72} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1844 2039d108158 gpu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1636 -ip 1636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 460
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.1.2024149280\1657581628" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74b11a8-b275-4e3c-bcf1-cb12eae7b157} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2288 2039bce3b58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.2.2123370429\678295021" -childID 1 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {849c7fd9-e3b6-43a5-8368-2c984cd167c4} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 3792 2039ffbe258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.3.1191035124\1341348667" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 4032 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a734297-27dc-4768-9d4b-5b924568d935} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4024 2039f8e8958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.4.2100368506\1107902488" -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa8b3a2-55d5-42c2-8a11-8843b05ec1e7} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4468 203a1d49b58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 52.24.144.241:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
Files
memory/636-2-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp
memory/1636-5-0x0000000000E10000-0x0000000000E98000-memory.dmp
memory/1636-8-0x0000000000E10000-0x0000000000E98000-memory.dmp
memory/1636-9-0x0000000000E10000-0x0000000000E98000-memory.dmp
memory/636-6-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp
memory/1636-11-0x0000000003E90000-0x0000000004290000-memory.dmp
memory/1636-13-0x0000000003E90000-0x0000000004290000-memory.dmp
memory/1636-12-0x0000000003E90000-0x0000000004290000-memory.dmp
memory/1636-14-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp
memory/1636-17-0x0000000003E90000-0x0000000004290000-memory.dmp
memory/4460-18-0x0000000000910000-0x0000000000919000-memory.dmp
memory/1636-16-0x00000000765B0000-0x00000000767C5000-memory.dmp
memory/4460-20-0x0000000002720000-0x0000000002B20000-memory.dmp
memory/4460-21-0x0000000002720000-0x0000000002B20000-memory.dmp
memory/4460-22-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp
memory/4460-23-0x0000000002720000-0x0000000002B20000-memory.dmp
memory/4460-25-0x00000000765B0000-0x00000000767C5000-memory.dmp
memory/1636-31-0x0000000003E90000-0x0000000004290000-memory.dmp
memory/4460-30-0x0000000002720000-0x0000000002B20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin
| MD5 | cfdd7da662f752b9bc5f6dc0a88ea65c |
| SHA1 | 2c529c155c48c35dace029e771440426c16f6d5a |
| SHA256 | 19e67863b3f6affa15d7cc1b229d1c006b5edf0ab673c5a5b4e01412acd9a419 |
| SHA512 | 9e0096f1c0ab065dc2546455cdb8a3c3e287e38f23df1ed20ca971b47c2a7bc516e7b6add85f6e2389e46a57b88d5c63d822f88302c958fa066a13db73c99e82 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\14dbc98a-a07e-4793-bb5d-ccdf2261d3f6
| MD5 | 1aa91f27939c41d002d02dfcb5bf3b5c |
| SHA1 | dda8fe1eeeee070abd90127ac17f2f6929bb9bfc |
| SHA256 | ce2863b61aa0d0e7b711bbcea8ab8896fe193248a911f5cf6a0c286c0216c807 |
| SHA512 | 9f3d635ac1f44b0ae0501955067f0850ca737a4dc4d5f84238f1f7d14c362a3d5c41a9ca8cd6ce56ab30de772c42c111ea6655c6da23e4a03a60326a33a3b0e5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\9f7218aa-9ce9-49bd-b7ed-121e6718f9f8
| MD5 | 51f007a6d9b047e20cdd7f8b18f0f859 |
| SHA1 | e44bbff4edfb33d1b8ae6d779a813248dbc7fa2e |
| SHA256 | 5b754a7282a4e5d58725af6e9e22b41070ff8c196b1ae04b72edbfe01274b3bd |
| SHA512 | a1cd72f44c6f875417820cc134f48246152764f218efb7ad9e440ac869824237e983bf9380c5f732eb1af4269fbd1688f412f23212ed56d771606578256b26ba |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs.js
| MD5 | 48b1ffb9527870b40b57528fc4686c50 |
| SHA1 | ce135b557b1d11438249067bc357e2aec2e9c0dd |
| SHA256 | 18d4602babf1574513806174b655e12dc1971fe2dc815b2b3f166f07e46165be |
| SHA512 | 4a299c128f87e14183847040b1281fa25f633e1058d49e3b2c9eeb457b61b179d49abb1674de93a5242c0aa42f6bf6569f368d6f6de389efaea1b8f3716f6093 |