Analysis Overview
SHA256
d98832bfc040c10d3000a9afc90ec9f8d9adcfc12ad45bc6baabfa26f760d97b
Threat Level: Known bad
The file Installer.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 16:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 16:10
Reported
2024-09-30 16:13
Platform
win7-20240708-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
Network
Files
memory/752-1-0x0000000076670000-0x0000000076731000-memory.dmp
memory/752-0-0x00000000777E0000-0x00000000778B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 16:10
Reported
2024-09-30 16:13
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
140s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4364 created 2116 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | C:\Windows\system32\sihost.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4868 set thread context of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4868-6-0x0000000077A51000-0x0000000077B71000-memory.dmp
C:\Users\Admin\AppData\Roaming\msvcp110.dll
| MD5 | 351c51206a136e8e3224579b50d5ff3c |
| SHA1 | 8683cef48ad78e150dfb290c65188f4b9a5100a8 |
| SHA256 | a14e7251adaa163f527e4f45471b4649af25856ecce2f90d2544e69773b69a8a |
| SHA512 | 53e9e6c02d0f7370ca0743783b933936825ea7a690aaf40c64a0b2b6f7983dd196053c06c94470eac11f6ede50204c80d448edf42877722936338cfc98122b5d |
memory/4364-11-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4364-12-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4364-14-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4364-13-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4364-16-0x0000000003BD0000-0x0000000003FD0000-memory.dmp
memory/4364-15-0x0000000003BD0000-0x0000000003FD0000-memory.dmp
memory/4364-17-0x0000000003BD0000-0x0000000003FD0000-memory.dmp
memory/4364-18-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp
memory/4364-21-0x0000000003BD0000-0x0000000003FD0000-memory.dmp
memory/4364-20-0x0000000076DD0000-0x0000000076FE5000-memory.dmp
memory/1760-22-0x0000000000F20000-0x0000000000F29000-memory.dmp
memory/1760-25-0x0000000002D10000-0x0000000003110000-memory.dmp
memory/1760-28-0x0000000076DD0000-0x0000000076FE5000-memory.dmp
memory/1760-29-0x0000000002D10000-0x0000000003110000-memory.dmp
memory/1760-26-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp
memory/1760-24-0x0000000002D10000-0x0000000003110000-memory.dmp
memory/1760-30-0x0000000002D10000-0x0000000003110000-memory.dmp
memory/4364-31-0x0000000003BD0000-0x0000000003FD0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-30 16:10
Reported
2024-09-30 16:13
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-30 16:10
Reported
2024-09-30 16:13
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |