Analysis Overview
SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
Threat Level: Known bad
The file mysetup.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-29 04:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 04:44
Reported
2024-03-29 04:51
Platform
win7-20240220-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\mysetup.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 508
Network
Files
memory/2252-0-0x00000000011B0000-0x000000000121E000-memory.dmp
memory/2252-1-0x0000000074900000-0x0000000074FEE000-memory.dmp
memory/2252-2-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/2540-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2540-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-7-0x0000000002620000-0x0000000004620000-memory.dmp
memory/2540-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2540-11-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2540-12-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2540-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2540-6-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-14-0x0000000074900000-0x0000000074FEE000-memory.dmp
memory/2252-15-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/2252-16-0x0000000002620000-0x0000000004620000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 04:44
Reported
2024-03-29 04:50
Platform
win10v2004-20240226-en
Max time kernel
300s
Max time network
302s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2340 created 2836 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1328 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\mysetup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\mysetup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1328 -ip 1328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 868
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2340 -ip 2340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2340 -ip 2340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 596
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1328-0-0x0000000000E90000-0x0000000000EFE000-memory.dmp
memory/1328-1-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/1328-2-0x0000000005930000-0x0000000005940000-memory.dmp
memory/2340-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2340-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1328-9-0x0000000003330000-0x0000000005330000-memory.dmp
memory/2340-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1328-11-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2340-12-0x00000000039B0000-0x0000000003DB0000-memory.dmp
memory/2340-14-0x00000000039B0000-0x0000000003DB0000-memory.dmp
memory/2340-13-0x00000000039B0000-0x0000000003DB0000-memory.dmp
memory/2340-15-0x00007FFAC4D10000-0x00007FFAC4F05000-memory.dmp
memory/2340-16-0x00000000039B0000-0x0000000003DB0000-memory.dmp
memory/3096-19-0x0000000000660000-0x0000000000669000-memory.dmp
memory/2340-18-0x0000000076170000-0x0000000076385000-memory.dmp
memory/3096-22-0x0000000002330000-0x0000000002730000-memory.dmp
memory/3096-24-0x0000000002330000-0x0000000002730000-memory.dmp
memory/3096-23-0x00007FFAC4D10000-0x00007FFAC4F05000-memory.dmp
memory/3096-26-0x0000000076170000-0x0000000076385000-memory.dmp
memory/2340-27-0x00000000039B0000-0x0000000003DB0000-memory.dmp
memory/3096-28-0x0000000002330000-0x0000000002730000-memory.dmp