Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 04:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
444KB
-
MD5
a067c2e81ba8dfd1561aa823fd3239b3
-
SHA1
08263f5e2a206bceeb91ed7ec071e1a96794e442
-
SHA256
9d380a3292854ec2522aeef19e219ca54317569a7ef9bf0cf2d48c39d58af05c
-
SHA512
f6808ff48d8d9a15344968e320e112ec784bccacac5282b48da287ce89363b79bd6151880cd4b46605401e434039618b5dd1bb42289adde906289295a1ed11c2
-
SSDEEP
12288:Dr8pdFOvnlmRxBXjhfDnf0HfO6Ix02mPc+Trr:DrpnlmRxBXNfDf50lZj
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 860 created 1368 860 RegAsm.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3048 set thread context of 860 3048 tmp.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2708 3048 WerFault.exe tmp.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 860 RegAsm.exe 860 RegAsm.exe 2636 dialer.exe 2636 dialer.exe 2636 dialer.exe 2636 dialer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
tmp.exeRegAsm.exedescription pid process target process PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 860 3048 tmp.exe RegAsm.exe PID 3048 wrote to memory of 2708 3048 tmp.exe WerFault.exe PID 3048 wrote to memory of 2708 3048 tmp.exe WerFault.exe PID 3048 wrote to memory of 2708 3048 tmp.exe WerFault.exe PID 3048 wrote to memory of 2708 3048 tmp.exe WerFault.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe PID 860 wrote to memory of 2636 860 RegAsm.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 5083⤵
- Program crash
PID:2708
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-