Analysis Overview
SHA256
f4e3d73eac0f751a9d519e5a8eaff679837413c069a8f0a614d2792d899e44c3
Threat Level: Known bad
The file Setup.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 14:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 14:11
Reported
2024-10-14 14:12
Platform
win7-20240708-en
Max time kernel
17s
Max time network
16s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1992 created 1184 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC690C807\setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2180 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2668 set thread context of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC690C807\setup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zOC690C807\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.zip"
C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\7zOC690C807\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC690C807\setup.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zOC69477F6\setup.exe
| MD5 | afb79f1d95495834c928ccffcf8f4e5e |
| SHA1 | c0ffe0908b25d5de8428a198ef0d1e6c475c99c0 |
| SHA256 | b0f1b0fdf69a3465c8fa29905a4ae69e4d28d9e916619f6034787a9d684db796 |
| SHA512 | 55f566cf6624e7f542875cdb7565f4d12b8b05b6a7d6e31a02de83a212cbde9de33c0d41a80dba5397a77a326919306f6edfd884ae8b7f277a855703b672ecfa |
memory/2180-12-0x0000000000B00000-0x0000000000B72000-memory.dmp
memory/1992-27-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1992-24-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-22-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-20-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-15-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-18-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-30-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-16-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-28-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1992-31-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/1992-32-0x00000000033B0000-0x00000000037B0000-memory.dmp
memory/1992-35-0x0000000076D00000-0x0000000076D47000-memory.dmp
memory/2740-36-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1992-33-0x00000000772F0000-0x0000000077499000-memory.dmp
memory/2740-38-0x0000000001C80000-0x0000000002080000-memory.dmp
memory/2740-39-0x00000000772F0000-0x0000000077499000-memory.dmp
memory/2740-41-0x0000000076D00000-0x0000000076D47000-memory.dmp
memory/2668-54-0x0000000000AB0000-0x0000000000B22000-memory.dmp
memory/1288-72-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1288-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1288-74-0x00000000036B0000-0x0000000003AB0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 14:11
Reported
2024-10-14 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |