Malware Analysis Report

2024-11-30 02:14

Sample ID 240328-sjtz6ahc5t
Target ProjectMainGitHub.zip
SHA256 f55cf52fd39c12fbb2ead65587a71ae2f8a563930c89e4a41e64eae9e041a39e
Tags
rhadamanthys stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f55cf52fd39c12fbb2ead65587a71ae2f8a563930c89e4a41e64eae9e041a39e

Threat Level: Known bad

The file ProjectMainGitHub.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer discovery

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Modifies file permissions

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 15:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:46

Platform

win10v2004-20240226-en

Max time kernel

450s

Max time network

1175s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1140 created 2920 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\driver1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4516 set thread context of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 5068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 5068 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 5068 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 4516 wrote to memory of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 4516 wrote to memory of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 4516 wrote to memory of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 4516 wrote to memory of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 4516 wrote to memory of 1140 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 1140 wrote to memory of 4748 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 1140 wrote to memory of 4748 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 1140 wrote to memory of 4748 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 1140 wrote to memory of 4748 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 1140 wrote to memory of 4748 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 5068 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 5068 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 5068 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 5068 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\ProgramData\driver1.exe

C:\ProgramData\driver1.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 460

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
RU 89.23.97.199:1445 89.23.97.199 tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 199.97.23.89.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 89.23.97.199:1444 89.23.97.199 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lawojmme.5xh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-5-0x000001C01E080000-0x000001C01E0A2000-memory.dmp

memory/4172-11-0x000001C01E010000-0x000001C01E020000-memory.dmp

memory/4172-10-0x00007FFE52970000-0x00007FFE53431000-memory.dmp

memory/4172-12-0x000001C01E010000-0x000001C01E020000-memory.dmp

memory/4172-15-0x00007FFE52970000-0x00007FFE53431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4684-17-0x00007FFE52970000-0x00007FFE53431000-memory.dmp

memory/4684-18-0x0000025436C00000-0x0000025436C10000-memory.dmp

memory/4684-19-0x0000025436C00000-0x0000025436C10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/4684-31-0x00007FFE52970000-0x00007FFE53431000-memory.dmp

C:\ProgramData\driver1.exe

MD5 c9ba72dd40efccd9ea8b199984bfcea8
SHA1 047bb1776528de85752efb7e5cd8505637db610f
SHA256 1ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA512 2bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8

memory/1140-41-0x0000000000B40000-0x0000000000BAD000-memory.dmp

memory/4516-42-0x00007FF72AEA0000-0x00007FF72B2EE000-memory.dmp

memory/1140-44-0x0000000000B40000-0x0000000000BAD000-memory.dmp

memory/1140-45-0x0000000000B40000-0x0000000000BAD000-memory.dmp

memory/1140-46-0x0000000003C70000-0x0000000004070000-memory.dmp

memory/1140-47-0x0000000003C70000-0x0000000004070000-memory.dmp

memory/1140-48-0x0000000003C70000-0x0000000004070000-memory.dmp

memory/1140-50-0x0000000003C70000-0x0000000004070000-memory.dmp

memory/1140-49-0x00007FFE718B0000-0x00007FFE71AA5000-memory.dmp

memory/1140-52-0x0000000075280000-0x0000000075495000-memory.dmp

memory/4748-53-0x00000000004F0000-0x00000000004F9000-memory.dmp

memory/4748-56-0x0000000002080000-0x0000000002480000-memory.dmp

memory/4748-57-0x00007FFE718B0000-0x00007FFE71AA5000-memory.dmp

memory/4748-58-0x0000000002080000-0x0000000002480000-memory.dmp

memory/4748-60-0x0000000075280000-0x0000000075495000-memory.dmp

memory/4748-61-0x0000000002080000-0x0000000002480000-memory.dmp

memory/1140-62-0x0000000003C70000-0x0000000004070000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:47

Platform

win10v2004-20240226-en

Max time kernel

1790s

Max time network

1802s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.161.23.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 235.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 26.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp

Files

memory/1760-0-0x000001AF88D40000-0x000001AF88D50000-memory.dmp

memory/1760-16-0x000001AF88E40000-0x000001AF88E50000-memory.dmp

memory/1760-32-0x000001AF91190000-0x000001AF91191000-memory.dmp

memory/1760-34-0x000001AF911C0000-0x000001AF911C1000-memory.dmp

memory/1760-35-0x000001AF911C0000-0x000001AF911C1000-memory.dmp

memory/1760-36-0x000001AF912D0000-0x000001AF912D1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:49

Platform

win10v2004-20240226-en

Max time kernel

1173s

Max time network

1176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp

Files

memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3828-5-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 1988831aedfcb1cb2dc37a2898d0358d
SHA1 97322094898a927c73612bc80a6d92386a6cfa07
SHA256 15516bba0b99290b90f97f713b09effe840a9b9a0e2ce6fc85097d19cbc16d50
SHA512 dbe02724559cdc2f260a9242830127f0d3832e3f2ee0e103e0a5e5c07c83c7fea7eb47cca8aab61e3c0aad6b0fe1fcec0f4c16f1e8a7f7fb6fe2813652cdfe07

memory/3828-13-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-17-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

memory/3828-25-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

memory/3828-31-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-38-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

memory/3828-42-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-44-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

memory/3828-48-0x00000216E5C40000-0x00000216E6C40000-memory.dmp

memory/3828-76-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-77-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-94-0x00000216E4600000-0x00000216E4601000-memory.dmp

memory/3828-98-0x00000216E4600000-0x00000216E4601000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:50

Platform

win10v2004-20240319-en

Max time kernel

1793s

Max time network

1803s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

Signatures

N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5124 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 80.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:42

Platform

win10v2004-20240226-en

Max time kernel

1151s

Max time network

1175s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 80.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

memory/3064-0-0x000002187BB40000-0x000002187BB50000-memory.dmp

memory/3064-16-0x000002187BC40000-0x000002187BC50000-memory.dmp

memory/3064-32-0x00000218041F0000-0x00000218041F1000-memory.dmp

memory/3064-34-0x0000021804220000-0x0000021804221000-memory.dmp

memory/3064-35-0x0000021804220000-0x0000021804221000-memory.dmp

memory/3064-36-0x0000021804330000-0x0000021804331000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:49

Platform

win10v2004-20240226-en

Max time kernel

1174s

Max time network

1177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp

Files

memory/2600-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4172-5-0x0000013980000000-0x0000013981000000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 b763122763036dd9ab5b14b2b9d6beea
SHA1 adb19c5f1af230b1178f20f29c7fabcd930ae468
SHA256 6da0336c765ab57af84e443a44c10bf5307f98491a5853080745edec205ef8e8
SHA512 1d7ebdcf47af91edc5806824b80dccee7a1f73cf8f4c1c64266fdb888ec7d6468f104fa6985ea8ded69fd855af6775deb6ab9318449529f37a008b07d5e3de8a

memory/4172-13-0x00000139FE700000-0x00000139FE701000-memory.dmp

memory/4172-16-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-27-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-31-0x00000139FE700000-0x00000139FE701000-memory.dmp

memory/4172-37-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-41-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-42-0x0000013980280000-0x0000013980290000-memory.dmp

memory/4172-43-0x00000139802C0000-0x00000139802D0000-memory.dmp

memory/4172-44-0x0000013980320000-0x0000013980330000-memory.dmp

memory/4172-45-0x00000139802D0000-0x00000139802E0000-memory.dmp

memory/4172-46-0x00000139802F0000-0x0000013980300000-memory.dmp

memory/4172-47-0x0000013980300000-0x0000013980310000-memory.dmp

memory/4172-49-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-48-0x0000013980310000-0x0000013980320000-memory.dmp

memory/4172-50-0x0000013980000000-0x0000013981000000-memory.dmp

memory/4172-51-0x0000013980000000-0x0000013981000000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:50

Platform

win10v2004-20240226-en

Max time kernel

1170s

Max time network

1173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\opengl32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\opengl32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-28 15:09

Reported

2024-03-28 15:55

Platform

win10v2004-20231215-en

Max time kernel

447s

Max time network

1171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.77.24.184.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A