Analysis Overview
SHA256
eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f
Threat Level: Known bad
The file eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of NtCreateThreadExHideFromDebugger
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 04:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 04:08
Reported
2024-05-29 04:11
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2448 created 1124 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\Explorer.EXE |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f.dll
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
memory/2304-0-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/2304-18-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/2448-19-0x0000000000130000-0x000000000019D000-memory.dmp
memory/2304-17-0x00000000102CF000-0x00000000102F8000-memory.dmp
memory/2304-16-0x00000000102CB000-0x00000000102F8000-memory.dmp
memory/2304-15-0x00000000102C6000-0x00000000102CA000-memory.dmp
memory/2304-14-0x00000000102C3000-0x00000000102C7000-memory.dmp
memory/2304-13-0x00000000102C0000-0x00000000102C7000-memory.dmp
memory/2304-12-0x00000000102B8000-0x00000000102C0000-memory.dmp
memory/2448-11-0x0000000000130000-0x000000000019D000-memory.dmp
memory/2448-10-0x0000000000130000-0x000000000019D000-memory.dmp
memory/2304-9-0x0000000010004000-0x000000001001E000-memory.dmp
memory/2448-7-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/2448-5-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/2448-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2448-1-0x0000000000130000-0x000000000019D000-memory.dmp
memory/2448-20-0x0000000003530000-0x0000000003930000-memory.dmp
memory/2448-21-0x0000000003530000-0x0000000003930000-memory.dmp
memory/2448-23-0x0000000076990000-0x00000000769D7000-memory.dmp
memory/2568-24-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2568-26-0x0000000001EA0000-0x00000000022A0000-memory.dmp
memory/2568-29-0x0000000076990000-0x00000000769D7000-memory.dmp
memory/2568-27-0x0000000077400000-0x00000000775A9000-memory.dmp
memory/2304-30-0x0000000010000000-0x00000000102FE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 04:08
Reported
2024-05-29 04:11
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4528 created 2520 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\sihost.exe |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\eb18696d0081fd9e7a30b94f6e7d4bd7e3f02f9476d25a23f5cbc00659b25f5f.dll
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4528 -ip 4528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4528 -ip 4528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2392-0-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/2392-2-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/2392-1-0x0000000010004000-0x000000001001E000-memory.dmp
memory/4528-6-0x0000000000CF0000-0x0000000000D5D000-memory.dmp
memory/4528-3-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/2392-5-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/4528-12-0x0000000000CF0000-0x0000000000D5D000-memory.dmp
memory/2392-11-0x00000000102CB000-0x00000000102F8000-memory.dmp
memory/2392-10-0x00000000102C6000-0x00000000102CA000-memory.dmp
memory/2392-9-0x0000000010000000-0x00000000102FE000-memory.dmp
memory/2392-8-0x00000000102C0000-0x00000000102C7000-memory.dmp
memory/4528-7-0x0000000000CF0000-0x0000000000D5D000-memory.dmp
memory/4528-13-0x0000000003D80000-0x0000000004180000-memory.dmp
memory/4528-14-0x0000000003D80000-0x0000000004180000-memory.dmp
memory/4528-15-0x0000000003D80000-0x0000000004180000-memory.dmp
memory/4528-17-0x0000000003D80000-0x0000000004180000-memory.dmp
memory/4528-16-0x00007FFD607D0000-0x00007FFD609C5000-memory.dmp
memory/4528-19-0x0000000076C90000-0x0000000076EA5000-memory.dmp
memory/4668-20-0x0000000000690000-0x0000000000699000-memory.dmp
memory/4668-27-0x00000000024D0000-0x00000000028D0000-memory.dmp
memory/4668-24-0x00000000024D0000-0x00000000028D0000-memory.dmp
memory/4668-26-0x0000000076C90000-0x0000000076EA5000-memory.dmp
memory/4668-23-0x00007FFD607D0000-0x00007FFD609C5000-memory.dmp
memory/4668-22-0x00000000024D0000-0x00000000028D0000-memory.dmp
memory/4668-28-0x00000000024D0000-0x00000000028D0000-memory.dmp
memory/4528-29-0x0000000003D80000-0x0000000004180000-memory.dmp