Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
Resource
win11-20240221-en
General
-
Target
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
-
Size
437KB
-
MD5
7960d8afbbac06f216cceeb1531093bb
-
SHA1
008221bf66a0749447cffcb86f2d1ec80e23fc76
-
SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
-
SHA512
35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
SSDEEP
6144:fgY0pFLSksU7U6LdDXkQrrfEwPxu7Jf1r4zZr/CS9Qn5xgabMhaQsptC/E:YY21NNLdDXk2sE6JfN4zZrlQn5PSaH
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 2144 created 2696 2144 RegAsm.exe 48 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exedescription pid Process procid_target PID 4260 set thread context of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4936 4260 WerFault.exe 77 3708 2144 WerFault.exe 79 4668 2144 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid Process 2144 RegAsm.exe 2144 RegAsm.exe 4844 dialer.exe 4844 dialer.exe 4844 dialer.exe 4844 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exeRegAsm.exedescription pid Process procid_target PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 4260 wrote to memory of 2144 4260 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe 79 PID 2144 wrote to memory of 4844 2144 RegAsm.exe 84 PID 2144 wrote to memory of 4844 2144 RegAsm.exe 84 PID 2144 wrote to memory of 4844 2144 RegAsm.exe 84 PID 2144 wrote to memory of 4844 2144 RegAsm.exe 84 PID 2144 wrote to memory of 4844 2144 RegAsm.exe 84
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2696
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5203⤵
- Program crash
PID:3708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5163⤵
- Program crash
PID:4668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 8842⤵
- Program crash
PID:4936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4260 -ip 42601⤵PID:228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2144 -ip 21441⤵PID:3156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2144 -ip 21441⤵PID:4508