Analysis Overview
SHA256
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
Threat Level: Known bad
The file f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 21:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 21:58
Reported
2024-10-13 22:01
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1740 created 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Eclipse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Eclipse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe
"C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe"
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 628
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
memory/2916-37-0x0000000077050000-0x0000000077097000-memory.dmp
memory/2916-35-0x0000000077B30000-0x0000000077CD9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | e1e28c3acf184aa364c9ed9a30ab7289 |
| SHA1 | 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c |
| SHA256 | 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306 |
| SHA512 | e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991 |
memory/2916-33-0x0000000000880000-0x0000000000C80000-memory.dmp
memory/1740-31-0x00000000013B0000-0x0000000001438000-memory.dmp
memory/2916-30-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1740-29-0x0000000077050000-0x0000000077097000-memory.dmp
memory/1740-27-0x0000000077B30000-0x0000000077CD9000-memory.dmp
memory/1740-26-0x00000000009C0000-0x0000000000DC0000-memory.dmp
memory/1740-25-0x00000000009C0000-0x0000000000DC0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Eclipse.exe
| MD5 | e1990fe52ec2c952b28350a8f1c1689e |
| SHA1 | 2fd088c787de7573337cb533d275d8d9fb56c644 |
| SHA256 | a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4 |
| SHA512 | e41f4561a6dd4ed3335f92f2b87e8abeab1042c78e6333496ff7240a705093710f6b7328abd98592aaf8728cc5733f3e49b6dc8762056e7f4b3cb98a1d7d66e0 |
memory/2544-19-0x00000000000D0000-0x0000000000BF6000-memory.dmp
memory/1740-18-0x00000000013B0000-0x0000000001438000-memory.dmp
memory/3056-16-0x0000000000400000-0x0000000000F9C000-memory.dmp
memory/3056-10-0x0000000002AE0000-0x0000000002B68000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 21:58
Reported
2024-10-13 22:01
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2992 created 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Eclipse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Eclipse.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Eclipse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe
"C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe"
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3472 -ip 3472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1076
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
| MD5 | e1990fe52ec2c952b28350a8f1c1689e |
| SHA1 | 2fd088c787de7573337cb533d275d8d9fb56c644 |
| SHA256 | a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4 |
| SHA512 | e41f4561a6dd4ed3335f92f2b87e8abeab1042c78e6333496ff7240a705093710f6b7328abd98592aaf8728cc5733f3e49b6dc8762056e7f4b3cb98a1d7d66e0 |
memory/3472-14-0x000000007388E000-0x000000007388F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | e1e28c3acf184aa364c9ed9a30ab7289 |
| SHA1 | 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c |
| SHA256 | 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306 |
| SHA512 | e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991 |
memory/2992-23-0x0000000000880000-0x0000000000908000-memory.dmp
memory/4356-24-0x0000000000400000-0x0000000000F9C000-memory.dmp
memory/3472-25-0x0000000000BF0000-0x0000000001716000-memory.dmp
memory/3472-26-0x00000000060D0000-0x000000000616C000-memory.dmp
memory/3472-27-0x0000000006720000-0x0000000006CC4000-memory.dmp
memory/3472-28-0x0000000006210000-0x00000000062A2000-memory.dmp
memory/3472-29-0x00000000061C0000-0x00000000061CA000-memory.dmp
memory/3472-31-0x0000000073880000-0x0000000074030000-memory.dmp
memory/3472-30-0x0000000006430000-0x0000000006486000-memory.dmp
memory/3472-32-0x0000000073880000-0x0000000074030000-memory.dmp
memory/2992-33-0x0000000003990000-0x0000000003D90000-memory.dmp
memory/2992-37-0x0000000003990000-0x0000000003D90000-memory.dmp
memory/2992-36-0x00007FFA668F0000-0x00007FFA66AE5000-memory.dmp
memory/2992-35-0x0000000003990000-0x0000000003D90000-memory.dmp
memory/2992-34-0x0000000003990000-0x0000000003D90000-memory.dmp
memory/2992-39-0x00000000754B0000-0x00000000756C5000-memory.dmp
memory/116-40-0x0000000000520000-0x0000000000529000-memory.dmp
memory/2992-41-0x0000000000880000-0x0000000000908000-memory.dmp
memory/116-43-0x00000000023E0000-0x00000000027E0000-memory.dmp
memory/116-44-0x00007FFA668F0000-0x00007FFA66AE5000-memory.dmp
memory/116-46-0x00000000754B0000-0x00000000756C5000-memory.dmp