Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 04:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
444KB
-
MD5
a067c2e81ba8dfd1561aa823fd3239b3
-
SHA1
08263f5e2a206bceeb91ed7ec071e1a96794e442
-
SHA256
9d380a3292854ec2522aeef19e219ca54317569a7ef9bf0cf2d48c39d58af05c
-
SHA512
f6808ff48d8d9a15344968e320e112ec784bccacac5282b48da287ce89363b79bd6151880cd4b46605401e434039618b5dd1bb42289adde906289295a1ed11c2
-
SSDEEP
12288:Dr8pdFOvnlmRxBXjhfDnf0HfO6Ix02mPc+Trr:DrpnlmRxBXNfDf50lZj
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 1116 created 2652 1116 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1204 set thread context of 1116 1204 tmp.exe RegAsm.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3056 1116 WerFault.exe RegAsm.exe 4244 1204 WerFault.exe tmp.exe 4276 1116 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 1116 RegAsm.exe 1116 RegAsm.exe 3484 dialer.exe 3484 dialer.exe 3484 dialer.exe 3484 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
tmp.exeRegAsm.exedescription pid process target process PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1204 wrote to memory of 1116 1204 tmp.exe RegAsm.exe PID 1116 wrote to memory of 3484 1116 RegAsm.exe dialer.exe PID 1116 wrote to memory of 3484 1116 RegAsm.exe dialer.exe PID 1116 wrote to memory of 3484 1116 RegAsm.exe dialer.exe PID 1116 wrote to memory of 3484 1116 RegAsm.exe dialer.exe PID 1116 wrote to memory of 3484 1116 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 5923⤵
- Program crash
PID:3056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 5963⤵
- Program crash
PID:4276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 8682⤵
- Program crash
PID:4244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1204 -ip 12041⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1116 -ip 11161⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1116 -ip 11161⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:3468