Analysis Overview
SHA256
0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6
Threat Level: Known bad
The file launcher.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-26 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-26 15:59
Reported
2024-09-26 16:00
Platform
win11-20240802-en
Max time kernel
10s
Max time network
10s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1844 created 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe | C:\Windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe"
C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
Files
memory/4912-1-0x00007FFC7A1B3000-0x00007FFC7A1B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfofxboo.pfs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4912-10-0x00000194611C0000-0x00000194611E2000-memory.dmp
memory/4912-11-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp
memory/4912-12-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp
memory/4912-13-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp
memory/4912-16-0x00007FFC7A1B0000-0x00007FFC7AC72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aTOiYXjO8s.exe
| MD5 | ec96e65299b7639d4aa60dd315acad80 |
| SHA1 | 7196b8eb744f769810b390c02371872d11c33bbd |
| SHA256 | c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529 |
| SHA512 | db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883 |
memory/1844-22-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/1844-23-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/1844-26-0x0000000003730000-0x0000000003B30000-memory.dmp
memory/1844-27-0x0000000003730000-0x0000000003B30000-memory.dmp
memory/1844-28-0x00007FFC9B000000-0x00007FFC9B209000-memory.dmp
memory/1844-30-0x0000000075F50000-0x00000000761A2000-memory.dmp
memory/2252-31-0x0000000000D90000-0x0000000000D99000-memory.dmp
memory/2252-34-0x0000000002D90000-0x0000000003190000-memory.dmp
memory/1844-33-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/2252-35-0x00007FFC9B000000-0x00007FFC9B209000-memory.dmp
memory/2252-37-0x0000000075F50000-0x00000000761A2000-memory.dmp