Analysis Overview
SHA256
4f76cd6ec7222833969dcad5f71ab7cbddfd3714bc9adda334413c66c2826209
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-28 18:26
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 18:26
Reported
2024-03-28 18:28
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 960 created 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 | C:\Windows\system32\sihost.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2512 set thread context of 396 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\netsh.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --cp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3436 -ip 3436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 480
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/2512-2-0x00000000006E0000-0x00000000009FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1361fbc7
| MD5 | 2094ddc2476788a39de6be04d3420c25 |
| SHA1 | cd76e5863f694f2d9f2c4dd2491dbd9de3989b18 |
| SHA256 | 1550fbc51c842e8fe98e7f7046bd1672c5fa5f46807228d4cc457331e4e56a86 |
| SHA512 | 13901c88de3fd492dddb7c2b4c7286d43e9b26904b0275f5acee97dcf1167f20092b87ddb4d34832a2ef7efbe4c7b5c949e38a57aa4ad39db9b43118ac31f343 |
memory/2512-8-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/2512-9-0x00007FF976930000-0x00007FF976B25000-memory.dmp
memory/2512-10-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/2512-11-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/396-13-0x0000000075680000-0x00000000757FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\140a252b
| MD5 | 013ff5bf5b7c3ca1f73b9c28eb741028 |
| SHA1 | c2d8f5898e12f2c0a287d640d096814641b308bc |
| SHA256 | 0f56ca4926ee6a9dd881b4cbbce6f1c816a986746657f0b1ebb938e59004e715 |
| SHA512 | 4017bba67fbadfc069b3a97f33701ac8831677dec244d606b9591995688df49e7641898b3f0f2d911962434cb922687e2c07e85231cc22e1265c57d3b24cf11d |
memory/396-15-0x00007FF976930000-0x00007FF976B25000-memory.dmp
memory/396-17-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/396-18-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/396-21-0x0000000075680000-0x00000000757FB000-memory.dmp
memory/960-22-0x00000000004B0000-0x000000000051E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
| MD5 | 0162a97ed477353bc35776a7addffd5c |
| SHA1 | 10db8fe20bbce0f10517c510ec73532cf6feb227 |
| SHA256 | 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571 |
| SHA512 | 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5 |
memory/960-24-0x00007FF976930000-0x00007FF976B25000-memory.dmp
memory/960-25-0x00000000004B0000-0x000000000051E000-memory.dmp
memory/960-27-0x0000000000F60000-0x000000000104B000-memory.dmp
memory/960-28-0x00000000052E0000-0x00000000056E0000-memory.dmp
memory/960-29-0x00000000004B0000-0x000000000051E000-memory.dmp
memory/960-31-0x00000000052E0000-0x00000000056E0000-memory.dmp
memory/960-30-0x00000000052E0000-0x00000000056E0000-memory.dmp
memory/960-34-0x00000000052E0000-0x00000000056E0000-memory.dmp
memory/960-35-0x0000000075F50000-0x0000000076165000-memory.dmp
memory/1416-36-0x0000000000E50000-0x0000000000E59000-memory.dmp
memory/1416-39-0x0000000002C60000-0x0000000003060000-memory.dmp
memory/1416-40-0x0000000002C60000-0x0000000003060000-memory.dmp
memory/1416-41-0x00007FF976930000-0x00007FF976B25000-memory.dmp
memory/1416-43-0x0000000002C60000-0x0000000003060000-memory.dmp
memory/1416-44-0x0000000075F50000-0x0000000076165000-memory.dmp
memory/1416-45-0x0000000002C60000-0x0000000003060000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 18:26
Reported
2024-03-28 18:28
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\netsh.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --cp
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
Network
Files
memory/1948-2-0x0000000000400000-0x000000000071F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8d2ed39b
| MD5 | 2094ddc2476788a39de6be04d3420c25 |
| SHA1 | cd76e5863f694f2d9f2c4dd2491dbd9de3989b18 |
| SHA256 | 1550fbc51c842e8fe98e7f7046bd1672c5fa5f46807228d4cc457331e4e56a86 |
| SHA512 | 13901c88de3fd492dddb7c2b4c7286d43e9b26904b0275f5acee97dcf1167f20092b87ddb4d34832a2ef7efbe4c7b5c949e38a57aa4ad39db9b43118ac31f343 |
memory/1948-8-0x0000000074CA0000-0x0000000074E14000-memory.dmp
memory/1948-9-0x00000000778A0000-0x0000000077A49000-memory.dmp
memory/1948-10-0x0000000074CA0000-0x0000000074E14000-memory.dmp
memory/1948-11-0x0000000074CA0000-0x0000000074E14000-memory.dmp
memory/2396-13-0x0000000074CA0000-0x0000000074E14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8f67dd8e
| MD5 | 5898a859276adeecdc0bd9d481490673 |
| SHA1 | 3ce7ce18322952895f7bdbe9d8755a037efa82d6 |
| SHA256 | 058821c67ad5aa7960f3bee493aca6950be4b191a38321d60c2e9740a4b7587b |
| SHA512 | 0536c4440313fe0faf339fcde577219f7feba41810fec4c5d91b7d8466b512a9fdbacc327a5a61ae3822a18c10c5c42bcb97f3b25f5e00588521ee8130ce0f9a |
memory/2396-15-0x00000000778A0000-0x0000000077A49000-memory.dmp
memory/2396-17-0x0000000074CA0000-0x0000000074E14000-memory.dmp
memory/2396-18-0x0000000074CA0000-0x0000000074E14000-memory.dmp
\Users\Admin\AppData\Local\Temp\PvjBg.au3
| MD5 | 0162a97ed477353bc35776a7addffd5c |
| SHA1 | 10db8fe20bbce0f10517c510ec73532cf6feb227 |
| SHA256 | 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571 |
| SHA512 | 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5 |
memory/2396-23-0x0000000074CA0000-0x0000000074E14000-memory.dmp
memory/2784-24-0x0000000000080000-0x00000000000EE000-memory.dmp
memory/2784-26-0x00000000778A0000-0x0000000077A49000-memory.dmp
memory/2784-27-0x0000000000080000-0x00000000000EE000-memory.dmp
memory/2784-29-0x0000000000CC0000-0x0000000000DAB000-memory.dmp
memory/2784-30-0x0000000000080000-0x00000000000EE000-memory.dmp