Analysis Overview
SHA256
17ef63395dd24979aeaf6bae39cc015ab6f2c4f1a636b2f7d376428a0d072ef8
Threat Level: Known bad
The file Gatherum Installer.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-22 20:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-22 20:31
Reported
2024-10-22 20:36
Platform
win10-20240611-en
Max time kernel
205s
Max time network
215s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5984 created 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe | c:\windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gatherum Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Gatherum Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Gatherum Installer.exe"
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\GatherumApp.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a'
C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe
"C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 524
Network
| Country | Destination | Domain | Proto |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softlandhub.com | udp |
| US | 104.21.14.82:443 | softlandhub.com | tcp |
| US | 8.8.8.8:53 | 82.14.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | arshasolutions.com | udp |
| US | 104.21.73.36:443 | arshasolutions.com | tcp |
| US | 8.8.8.8:53 | 36.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
Files
memory/2104-33-0x0000027684500000-0x0000027684660000-memory.dmp
memory/2104-28-0x0000027684140000-0x0000027684370000-memory.dmp
memory/2104-18-0x0000027680E30000-0x0000027681AD0000-memory.dmp
memory/2104-23-0x0000027682FB0000-0x0000027683F10000-memory.dmp
memory/2104-38-0x0000027684A00000-0x0000027684C00000-memory.dmp
memory/2104-411-0x00000276866D0000-0x0000027686710000-memory.dmp
memory/2104-421-0x0000027686C00000-0x0000027686C40000-memory.dmp
memory/2104-431-0x0000027687D40000-0x0000027687DD0000-memory.dmp
memory/2104-416-0x0000027686B60000-0x0000027686BB0000-memory.dmp
memory/2104-446-0x0000027687E60000-0x0000027687E80000-memory.dmp
memory/2104-461-0x0000027687F50000-0x0000027687F70000-memory.dmp
memory/2104-456-0x0000027687F00000-0x0000027687F20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\PresentationNative_cor3.dll
| MD5 | 274761a595f86982214221b5685b3218 |
| SHA1 | b908013028cb07fb799de2e48b6492404add6069 |
| SHA256 | 6d5910c0a0a4e3ee8863e4dadc73662d28ae9bfcda4a52960e26c1237386851a |
| SHA512 | 3f9cf3d8e428619b798374f2e2a6ef9cf4213428277a74306978552772aae1a4a9ae7247c2dc893c0054d480dda871bbd74b0bc4afd65b0f584958d501ed8867 |
memory/2104-441-0x0000027687E30000-0x0000027687E40000-memory.dmp
memory/2104-436-0x0000027687DF0000-0x0000027687E10000-memory.dmp
memory/2104-426-0x0000027687480000-0x0000027687CB0000-memory.dmp
memory/2104-451-0x0000027687EB0000-0x0000027687ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\wpfgfx_cor3.dll
| MD5 | 627ecf139beed59b4e1b26caac8f68e4 |
| SHA1 | 9747fe073aed451c936a66f8ad112bbb1a8c31c8 |
| SHA256 | 0a01412b64e6889ace8933dd2f559d186b693aefe31e6b084e2d435b1737af39 |
| SHA512 | 25bdb740039c867ce0cc1347493cf456e32d767c898a683da1306992ae77ed3605612c804c2eae483320f18f2cd0850c17226ef21e09fe07997aa47679b6030e |
C:\Users\Admin\AppData\Local\Temp\7z7D7ADFC0\D3DCompiler_47_cor3.dll
| MD5 | 03a60a6652caf4f49ea5912ce4e1b33c |
| SHA1 | a0d949d4af7b1048dc55e39d1d1260a1e0660c4f |
| SHA256 | b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3 |
| SHA512 | 6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4 |
memory/5228-3033-0x000002322F460000-0x000002322F482000-memory.dmp
memory/5228-3057-0x000002322F650000-0x000002322F6C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrmnd1e0.hxs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1edb4bb8fa72d4bcd8afb39542243461 |
| SHA1 | 2fb6e0faef3ecab3cc974d106eef3ca3b254a3ef |
| SHA256 | 1d94abfbe7738412ba3ad528397776c16b3a8fb8a8f1c029a1c67b4670096089 |
| SHA512 | 411b190adec161ceb140d25e1601339714349392d8f04f7cb020cb95c86ac14ff0cd750b06833857323d029199d7a87696658e47830addf66e3415621fba0936 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38158246f5646e012bde2b94e52674b1 |
| SHA1 | 7eb69046d182ac64bff0073def6e66c0809b9e07 |
| SHA256 | e6a3a45d7b2982231aaed5a5e0288a1a767308fa43f8f72cbc2868545b7c1fa5 |
| SHA512 | b3e4e4c7eba7f42a87395a8bbf33dced21fd94872f53218bef9749995dd2fca161a8e5a1c9184ce699d04f6b6a8afa25989db1ef17cf7017a1b10c3d554006fd |
C:\Users\Admin\AppData\Local\Temp\7394928d-aa66-4658-b4e2-9cd0a7f4db9a\YmVhMjk2M2.exe
| MD5 | 2e56e362d49d8e123073a038fbf91cf6 |
| SHA1 | fd5b12eda5de595deaef73ce4b04b71b8ced5c4a |
| SHA256 | ffe3fabdef8b4b0818ddf5ad4a3441792228ce57922e85ff1295903d129d6a29 |
| SHA512 | 87d3b0503c8c9adac8ec9f44c718bf67ccb68216d98ad3bfc5dbd0d1039290c9b9d4941d6c278fbfe105a20e9a4f8edab0c94c3316b03ee7b7ef218754140d35 |