Analysis Overview
SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
Threat Level: Known bad
The file f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-28 12:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 12:58
Reported
2024-03-28 13:01
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4100 created 2548 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3404 set thread context of 4100 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3404 -ip 3404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 868
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 596
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/3404-1-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/3404-0-0x0000000000480000-0x00000000004EE000-memory.dmp
memory/3404-2-0x00000000028B0000-0x00000000028C0000-memory.dmp
memory/4100-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4100-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3404-9-0x00000000028E0000-0x00000000048E0000-memory.dmp
memory/4100-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4100-11-0x0000000003650000-0x0000000003A50000-memory.dmp
memory/4100-13-0x0000000003650000-0x0000000003A50000-memory.dmp
memory/4100-14-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp
memory/4100-16-0x0000000003650000-0x0000000003A50000-memory.dmp
memory/4100-17-0x00000000762D0000-0x00000000764E5000-memory.dmp
memory/1192-18-0x0000000000CF0000-0x0000000000CF9000-memory.dmp
memory/3404-20-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/1192-21-0x0000000002870000-0x0000000002C70000-memory.dmp
memory/1192-22-0x0000000002870000-0x0000000002C70000-memory.dmp
memory/4100-23-0x0000000003650000-0x0000000003A50000-memory.dmp
memory/1192-25-0x0000000002870000-0x0000000002C70000-memory.dmp
memory/1192-24-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp
memory/1192-27-0x00000000762D0000-0x00000000764E5000-memory.dmp
memory/1192-28-0x0000000002870000-0x0000000002C70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 12:58
Reported
2024-03-28 13:01
Platform
win11-20240221-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2144 created 2696 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4260 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe
"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4260 -ip 4260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 884
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2144 -ip 2144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2144 -ip 2144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 516
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4260-1-0x0000000000D20000-0x0000000000D8E000-memory.dmp
memory/4260-0-0x0000000075130000-0x00000000758E1000-memory.dmp
memory/4260-2-0x00000000058C0000-0x00000000058D0000-memory.dmp
memory/2144-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2144-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4260-9-0x0000000003340000-0x0000000005340000-memory.dmp
memory/2144-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4260-11-0x0000000075130000-0x00000000758E1000-memory.dmp
memory/2144-12-0x0000000003A50000-0x0000000003E50000-memory.dmp
memory/2144-13-0x0000000003A50000-0x0000000003E50000-memory.dmp
memory/2144-14-0x0000000003A50000-0x0000000003E50000-memory.dmp
memory/2144-15-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp
memory/2144-17-0x0000000003A50000-0x0000000003E50000-memory.dmp
memory/2144-18-0x0000000076360000-0x00000000765B2000-memory.dmp
memory/4844-19-0x0000000000310000-0x0000000000319000-memory.dmp
memory/2144-20-0x0000000003A50000-0x0000000003E50000-memory.dmp
memory/4844-23-0x0000000002370000-0x0000000002770000-memory.dmp
memory/4844-24-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp
memory/4844-25-0x0000000002370000-0x0000000002770000-memory.dmp
memory/4844-28-0x0000000076360000-0x00000000765B2000-memory.dmp
memory/4844-27-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp
memory/4844-29-0x0000000002370000-0x0000000002770000-memory.dmp
memory/4844-30-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp