Analysis Overview
SHA256
f55cf52fd39c12fbb2ead65587a71ae2f8a563930c89e4a41e64eae9e041a39e
Threat Level: Known bad
The file ProjectGitHubMain.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-27 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-27 12:23
Reported
2024-03-27 12:26
Platform
win10-20240319-en
Max time kernel
70s
Max time network
91s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2260 created 2576 | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | c:\windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\driver1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5052 set thread context of 2260 | N/A | C:\ProgramData\driver1.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 504
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| RU | 89.23.97.199:1445 | 89.23.97.199 | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.97.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| RU | 89.23.97.199:1444 | tcp |
Files
memory/4416-4-0x000001A7F2190000-0x000001A7F21B2000-memory.dmp
memory/4416-7-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp
memory/4416-11-0x000001A7F2010000-0x000001A7F2020000-memory.dmp
memory/4416-9-0x000001A7F2010000-0x000001A7F2020000-memory.dmp
memory/4416-12-0x000001A7F2340000-0x000001A7F23B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3j3zbwh.u1o.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4416-25-0x000001A7F2010000-0x000001A7F2020000-memory.dmp
memory/4416-48-0x000001A7F2010000-0x000001A7F2020000-memory.dmp
memory/4416-52-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 7033adcdceef2520521477b094e52cc7 |
| SHA1 | 6dbdc3aba745a40a79f2eb659f2b427aaf5ff62e |
| SHA256 | bb10a63597ebc56a9c5e558c7b5bed8c1dde4856f7604ab987998d10eda3ac4e |
| SHA512 | af9249bd6a64e28d1b03ce962618ce2a7e5a55dc57d1dbc8efcf2e4142e74f40e58b144952981c3a86771a9fd207e73986130edf7b7dfde2495347e284e8287e |
memory/432-57-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp
memory/432-59-0x000001D7D4380000-0x000001D7D4390000-memory.dmp
memory/432-60-0x000001D7D4380000-0x000001D7D4390000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 236531aa12a6d4dcf54d1d234c2b3321 |
| SHA1 | d9a5aaddb8418b2e0e3e008b5963e785922cc3da |
| SHA256 | 7f2c00049ee1cb0b0cb7292e1e8f01c3bd22a340e6026e8d14f29db5841459f4 |
| SHA512 | 0364cbe65fe4363dfe7354470aef0798eee9c0f8649ef7716f371e667a721f101058b202401954ebcfe8636d3cf0bc22cfb5a4dd29bc690c9c3a19232eb175fb |
memory/432-78-0x000001D7D4380000-0x000001D7D4390000-memory.dmp
memory/432-101-0x000001D7D4380000-0x000001D7D4390000-memory.dmp
memory/432-104-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp
C:\ProgramData\driver1.exe
| MD5 | c9ba72dd40efccd9ea8b199984bfcea8 |
| SHA1 | 047bb1776528de85752efb7e5cd8505637db610f |
| SHA256 | 1ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481 |
| SHA512 | 2bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8 |
memory/2260-114-0x0000000000710000-0x000000000077D000-memory.dmp
memory/5052-115-0x00007FF7611A0000-0x00007FF7615EE000-memory.dmp
memory/2260-117-0x0000000000710000-0x000000000077D000-memory.dmp
memory/2260-118-0x0000000000710000-0x000000000077D000-memory.dmp
memory/2260-119-0x0000000003750000-0x0000000003B50000-memory.dmp
memory/2260-121-0x0000000003750000-0x0000000003B50000-memory.dmp
memory/2260-120-0x0000000003750000-0x0000000003B50000-memory.dmp
memory/2260-123-0x0000000003750000-0x0000000003B50000-memory.dmp
memory/2260-122-0x00007FFC26E60000-0x00007FFC2703B000-memory.dmp
memory/1460-126-0x0000000002350000-0x0000000002359000-memory.dmp
memory/1460-129-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/1460-130-0x00007FFC26E60000-0x00007FFC2703B000-memory.dmp
memory/1460-132-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/1460-134-0x0000000074190000-0x0000000074352000-memory.dmp
memory/1460-133-0x00007FFC26E60000-0x00007FFC2703B000-memory.dmp
memory/1460-128-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/2260-135-0x0000000003750000-0x0000000003B50000-memory.dmp
memory/1460-136-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/2260-125-0x0000000074190000-0x0000000074352000-memory.dmp