Analysis Overview
SHA256
9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
Threat Level: Known bad
The file ChromeSetup.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 03:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 03:20
Reported
2024-03-28 03:41
Platform
win10-20240319-en
Max time kernel
315s
Max time network
888s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3896 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | c:\windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 16592
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16592\Donations.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Src + Expressions + Safari + Treasury 16592\x
C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
16592\Donations.pif 16592\x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 832
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nmkrkibbwxQ.nmkrkibbwxQ | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Bathrooms
| MD5 | b51276964bb7d7ced0ca782c1505d9ca |
| SHA1 | 961d8f2ed348d6bfe38f109e97ab8b55db14591c |
| SHA256 | 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403 |
| SHA512 | fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547 |
C:\Users\Admin\AppData\Local\Temp\Compound
| MD5 | d63c5479fd18f86817d489744a338751 |
| SHA1 | 82385a52bb5485fab0a3d1e7f9a3661bf35d3098 |
| SHA256 | 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037 |
| SHA512 | da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361 |
C:\Users\Admin\AppData\Local\Temp\Injection
| MD5 | ec92f2e791b5ca001d95fdd601cd73b3 |
| SHA1 | 4aec16ee635e9eea9732a45d79f9ab8393e966fa |
| SHA256 | ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179 |
| SHA512 | 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b |
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | 569505062321992f4e2803461c40e724 |
| SHA1 | b62f7987f92b4397b02b6894e759096fdee1f7db |
| SHA256 | 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434 |
| SHA512 | 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd |
C:\Users\Admin\AppData\Local\Temp\Worm
| MD5 | aa48266704d06ef9043c5521d52fddd0 |
| SHA1 | 37754ad688f17e227ba8028efe9127d15c08b922 |
| SHA256 | 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444 |
| SHA512 | 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840 |
C:\Users\Admin\AppData\Local\Temp\Participants
| MD5 | 2e6d79912a858f8e13ce1384b18495d1 |
| SHA1 | a509ff203fcd463cc11ec1ebbe5cee251a2d3c04 |
| SHA256 | a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace |
| SHA512 | 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5 |
C:\Users\Admin\AppData\Local\Temp\Src
| MD5 | bca8514ec872114f197260671806ec5d |
| SHA1 | b61846c56e14ed5e819050bd638a49505133889b |
| SHA256 | 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5 |
| SHA512 | 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b |
C:\Users\Admin\AppData\Local\Temp\Expressions
| MD5 | 6ff11c454a1191120b1f963b120ae6b1 |
| SHA1 | 9476d445caccd7a725836c102154e4ba17cbc969 |
| SHA256 | b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898 |
| SHA512 | fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754 |
C:\Users\Admin\AppData\Local\Temp\Safari
| MD5 | 0d90f78364d6b146463b6238e692b0f9 |
| SHA1 | 241f0eec297841a66f19e29d322533dc59088272 |
| SHA256 | ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540 |
| SHA512 | 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610 |
C:\Users\Admin\AppData\Local\Temp\Treasury
| MD5 | 3443eaa164d930308366fbc11d04c2fc |
| SHA1 | 9470e59283644f44d76ecb945c394d43bb09e15e |
| SHA256 | 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b |
| SHA512 | 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a |
C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\16592\x
| MD5 | a91c6eadc37c8082fcd0d8fd1762b8fe |
| SHA1 | 73ce49f75160ed5dafb1b8483111f5d383e919c2 |
| SHA256 | 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69 |
| SHA512 | 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8 |
memory/3896-25-0x0000000077941000-0x0000000077A54000-memory.dmp
memory/3896-26-0x0000000000820000-0x0000000000821000-memory.dmp
memory/3896-27-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-28-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-29-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-31-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-32-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-33-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-34-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-36-0x0000000005410000-0x000000000547D000-memory.dmp
memory/3896-35-0x00000000064F0000-0x00000000068F0000-memory.dmp
memory/3896-38-0x00000000064F0000-0x00000000068F0000-memory.dmp
memory/3896-37-0x00000000064F0000-0x00000000068F0000-memory.dmp
memory/3896-39-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp
memory/3896-40-0x00000000064F0000-0x00000000068F0000-memory.dmp
memory/3896-42-0x0000000076100000-0x00000000762C2000-memory.dmp
memory/4628-43-0x0000000000DC0000-0x0000000000DC9000-memory.dmp
memory/4628-45-0x0000000000660000-0x0000000000A60000-memory.dmp
memory/4628-46-0x0000000000660000-0x0000000000A60000-memory.dmp
memory/3896-48-0x00000000064F0000-0x00000000068F0000-memory.dmp
memory/4628-49-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp
memory/4628-50-0x0000000000660000-0x0000000000A60000-memory.dmp
memory/4628-52-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp
memory/4628-53-0x0000000076100000-0x00000000762C2000-memory.dmp
memory/4628-54-0x0000000000660000-0x0000000000A60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 03:20
Reported
2024-03-28 03:41
Platform
win10v2004-20240226-en
Max time kernel
1195s
Max time network
1204s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1916 created 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 16582
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16582\Donations.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Src + Expressions + Safari + Treasury 16582\x
C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
16582\Donations.pif 16582\x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nmkrkibbwxQ.nmkrkibbwxQ | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| GB | 142.250.200.10:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Bathrooms
| MD5 | b51276964bb7d7ced0ca782c1505d9ca |
| SHA1 | 961d8f2ed348d6bfe38f109e97ab8b55db14591c |
| SHA256 | 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403 |
| SHA512 | fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547 |
C:\Users\Admin\AppData\Local\Temp\Compound
| MD5 | d63c5479fd18f86817d489744a338751 |
| SHA1 | 82385a52bb5485fab0a3d1e7f9a3661bf35d3098 |
| SHA256 | 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037 |
| SHA512 | da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361 |
C:\Users\Admin\AppData\Local\Temp\Injection
| MD5 | ec92f2e791b5ca001d95fdd601cd73b3 |
| SHA1 | 4aec16ee635e9eea9732a45d79f9ab8393e966fa |
| SHA256 | ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179 |
| SHA512 | 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b |
C:\Users\Admin\AppData\Local\Temp\Participants
| MD5 | 2e6d79912a858f8e13ce1384b18495d1 |
| SHA1 | a509ff203fcd463cc11ec1ebbe5cee251a2d3c04 |
| SHA256 | a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace |
| SHA512 | 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5 |
C:\Users\Admin\AppData\Local\Temp\Worm
| MD5 | aa48266704d06ef9043c5521d52fddd0 |
| SHA1 | 37754ad688f17e227ba8028efe9127d15c08b922 |
| SHA256 | 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444 |
| SHA512 | 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840 |
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | 569505062321992f4e2803461c40e724 |
| SHA1 | b62f7987f92b4397b02b6894e759096fdee1f7db |
| SHA256 | 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434 |
| SHA512 | 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd |
C:\Users\Admin\AppData\Local\Temp\Src
| MD5 | bca8514ec872114f197260671806ec5d |
| SHA1 | b61846c56e14ed5e819050bd638a49505133889b |
| SHA256 | 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5 |
| SHA512 | 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b |
C:\Users\Admin\AppData\Local\Temp\Expressions
| MD5 | 6ff11c454a1191120b1f963b120ae6b1 |
| SHA1 | 9476d445caccd7a725836c102154e4ba17cbc969 |
| SHA256 | b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898 |
| SHA512 | fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754 |
C:\Users\Admin\AppData\Local\Temp\Safari
| MD5 | 0d90f78364d6b146463b6238e692b0f9 |
| SHA1 | 241f0eec297841a66f19e29d322533dc59088272 |
| SHA256 | ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540 |
| SHA512 | 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610 |
C:\Users\Admin\AppData\Local\Temp\Treasury
| MD5 | 3443eaa164d930308366fbc11d04c2fc |
| SHA1 | 9470e59283644f44d76ecb945c394d43bb09e15e |
| SHA256 | 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b |
| SHA512 | 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a |
C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\16582\x
| MD5 | a91c6eadc37c8082fcd0d8fd1762b8fe |
| SHA1 | 73ce49f75160ed5dafb1b8483111f5d383e919c2 |
| SHA256 | 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69 |
| SHA512 | 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8 |
memory/1916-25-0x0000000077D31000-0x0000000077E51000-memory.dmp
memory/1916-26-0x0000000000B20000-0x0000000000B21000-memory.dmp
memory/1916-27-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-28-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-29-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-31-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-32-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-33-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-34-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-35-0x0000000005C60000-0x0000000006060000-memory.dmp
memory/1916-36-0x0000000004BA0000-0x0000000004C0D000-memory.dmp
memory/1916-38-0x0000000005C60000-0x0000000006060000-memory.dmp
memory/1916-37-0x0000000005C60000-0x0000000006060000-memory.dmp
memory/1916-39-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp
memory/1916-40-0x0000000005C60000-0x0000000006060000-memory.dmp
memory/1916-42-0x0000000075DF0000-0x0000000076005000-memory.dmp
memory/3096-43-0x0000000000A20000-0x0000000000A29000-memory.dmp
memory/3096-45-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/3096-46-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/3096-48-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp
memory/3096-50-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/3096-51-0x0000000075DF0000-0x0000000076005000-memory.dmp
memory/3096-52-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/1916-53-0x0000000005C60000-0x0000000006060000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-28 03:20
Reported
2024-03-28 03:41
Platform
win11-20240221-en
Max time kernel
454s
Max time network
1177s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1860 created 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | C:\Windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 16562
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16562\Donations.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Src + Expressions + Safari + Treasury 16562\x
C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
16562\Donations.pif 16562\x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 968
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nmkrkibbwxQ.nmkrkibbwxQ | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Bathrooms
| MD5 | b51276964bb7d7ced0ca782c1505d9ca |
| SHA1 | 961d8f2ed348d6bfe38f109e97ab8b55db14591c |
| SHA256 | 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403 |
| SHA512 | fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547 |
C:\Users\Admin\AppData\Local\Temp\Compound
| MD5 | d63c5479fd18f86817d489744a338751 |
| SHA1 | 82385a52bb5485fab0a3d1e7f9a3661bf35d3098 |
| SHA256 | 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037 |
| SHA512 | da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361 |
C:\Users\Admin\AppData\Local\Temp\Injection
| MD5 | ec92f2e791b5ca001d95fdd601cd73b3 |
| SHA1 | 4aec16ee635e9eea9732a45d79f9ab8393e966fa |
| SHA256 | ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179 |
| SHA512 | 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b |
C:\Users\Admin\AppData\Local\Temp\Participants
| MD5 | 2e6d79912a858f8e13ce1384b18495d1 |
| SHA1 | a509ff203fcd463cc11ec1ebbe5cee251a2d3c04 |
| SHA256 | a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace |
| SHA512 | 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5 |
C:\Users\Admin\AppData\Local\Temp\Worm
| MD5 | aa48266704d06ef9043c5521d52fddd0 |
| SHA1 | 37754ad688f17e227ba8028efe9127d15c08b922 |
| SHA256 | 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444 |
| SHA512 | 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840 |
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | 569505062321992f4e2803461c40e724 |
| SHA1 | b62f7987f92b4397b02b6894e759096fdee1f7db |
| SHA256 | 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434 |
| SHA512 | 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd |
C:\Users\Admin\AppData\Local\Temp\Treasury
| MD5 | 3443eaa164d930308366fbc11d04c2fc |
| SHA1 | 9470e59283644f44d76ecb945c394d43bb09e15e |
| SHA256 | 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b |
| SHA512 | 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a |
C:\Users\Admin\AppData\Local\Temp\Safari
| MD5 | 0d90f78364d6b146463b6238e692b0f9 |
| SHA1 | 241f0eec297841a66f19e29d322533dc59088272 |
| SHA256 | ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540 |
| SHA512 | 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610 |
C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\Expressions
| MD5 | 6ff11c454a1191120b1f963b120ae6b1 |
| SHA1 | 9476d445caccd7a725836c102154e4ba17cbc969 |
| SHA256 | b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898 |
| SHA512 | fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754 |
C:\Users\Admin\AppData\Local\Temp\Src
| MD5 | bca8514ec872114f197260671806ec5d |
| SHA1 | b61846c56e14ed5e819050bd638a49505133889b |
| SHA256 | 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5 |
| SHA512 | 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b |
C:\Users\Admin\AppData\Local\Temp\16562\x
| MD5 | a91c6eadc37c8082fcd0d8fd1762b8fe |
| SHA1 | 73ce49f75160ed5dafb1b8483111f5d383e919c2 |
| SHA256 | 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69 |
| SHA512 | 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8 |
memory/1860-25-0x0000000077521000-0x0000000077643000-memory.dmp
memory/1860-26-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/1860-27-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-28-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-29-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-31-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-32-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-33-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-34-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-35-0x00000000067A0000-0x0000000006BA0000-memory.dmp
memory/1860-37-0x0000000005580000-0x00000000055ED000-memory.dmp
memory/1860-36-0x00000000067A0000-0x0000000006BA0000-memory.dmp
memory/1860-38-0x00000000067A0000-0x0000000006BA0000-memory.dmp
memory/1860-40-0x00007FFB96180000-0x00007FFB96389000-memory.dmp
memory/1860-42-0x00000000067A0000-0x0000000006BA0000-memory.dmp
memory/780-44-0x0000000000E10000-0x0000000000E19000-memory.dmp
memory/1860-43-0x00000000768B0000-0x0000000076B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
| MD5 | 0d1d68f4d9d55edd7571fd468140fcfc |
| SHA1 | 4c4607b45637b299032a407682c9d2a844bed807 |
| SHA256 | 4544412b19ad66f0ff8396d178da58557f4826289ed3c802338e45e51d3d99a7 |
| SHA512 | 8be744f4c51bb6401f20ef1f87ddb68599a88e601bd07452f0270848fc7aa5e5fe5720dc22954fe782714040a286ccf2e39f220b301ddb7a766faddabfc5bc70 |
memory/780-50-0x00007FFB96180000-0x00007FFB96389000-memory.dmp
memory/780-47-0x0000000002B20000-0x0000000002F20000-memory.dmp
memory/780-53-0x0000000002B20000-0x0000000002F20000-memory.dmp
memory/780-52-0x00000000768B0000-0x0000000076B02000-memory.dmp
memory/1860-55-0x00000000067A0000-0x0000000006BA0000-memory.dmp
memory/780-56-0x00007FFB96180000-0x00007FFB96389000-memory.dmp
memory/780-54-0x0000000002B20000-0x0000000002F20000-memory.dmp