Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
Resource
win11-20240221-en
General
-
Target
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
-
Size
437KB
-
MD5
7960d8afbbac06f216cceeb1531093bb
-
SHA1
008221bf66a0749447cffcb86f2d1ec80e23fc76
-
SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
-
SHA512
35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
SSDEEP
6144:fgY0pFLSksU7U6LdDXkQrrfEwPxu7Jf1r4zZr/CS9Qn5xgabMhaQsptC/E:YY21NNLdDXk2sE6JfN4zZrlQn5PSaH
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 4100 created 2548 4100 RegAsm.exe 43 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exedescription pid Process procid_target PID 3404 set thread context of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 3208 3404 WerFault.exe 83 4404 4100 WerFault.exe 88 444 4100 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid Process 4100 RegAsm.exe 4100 RegAsm.exe 1192 dialer.exe 1192 dialer.exe 1192 dialer.exe 1192 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exeRegAsm.exedescription pid Process procid_target PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 3404 wrote to memory of 4100 3404 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 88 PID 4100 wrote to memory of 1192 4100 RegAsm.exe 92 PID 4100 wrote to memory of 1192 4100 RegAsm.exe 92 PID 4100 wrote to memory of 1192 4100 RegAsm.exe 92 PID 4100 wrote to memory of 1192 4100 RegAsm.exe 92 PID 4100 wrote to memory of 1192 4100 RegAsm.exe 92
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2548
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 6003⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 5963⤵
- Program crash
PID:444
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 8682⤵
- Program crash
PID:3208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3404 -ip 34041⤵PID:3760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4100 -ip 41001⤵PID:3972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4100 -ip 41001⤵PID:2688