Analysis Overview
SHA256
b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9
Threat Level: Known bad
The file b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 02:03
Reported
2024-10-25 02:09
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Rhadamanthys
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe
"C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe"
C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe
"C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe"
Network
Files
memory/2376-0-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/2376-1-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/2376-2-0x0000000000409000-0x0000000000422000-memory.dmp
memory/2376-4-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/2376-7-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/2376-6-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/2376-3-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/3064-12-0x00000000001B0000-0x000000000022E000-memory.dmp
memory/2376-16-0x0000000000409000-0x0000000000422000-memory.dmp
memory/2376-19-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/3064-20-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/3064-18-0x00000000001B0000-0x000000000022E000-memory.dmp
memory/2376-13-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/3064-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3064-8-0x00000000001B0000-0x000000000022E000-memory.dmp
memory/3064-21-0x00000000001B0000-0x000000000022E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 02:03
Reported
2024-10-25 02:09
Platform
win10-20240404-en
Max time kernel
196s
Max time network
257s
Command Line
Signatures
Rhadamanthys
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe
"C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe"
C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe
"C:\Users\Admin\AppData\Local\Temp\b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
Files
memory/4212-4-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/4212-6-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/4212-11-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/1152-17-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/4212-16-0x0000000000676000-0x0000000000682000-memory.dmp
memory/4212-15-0x0000000000670000-0x0000000000677000-memory.dmp
memory/1152-13-0x00000000006F0000-0x000000000076E000-memory.dmp
memory/1152-12-0x00000000006F0000-0x000000000076E000-memory.dmp
memory/4212-10-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/1152-8-0x00000000006F0000-0x000000000076E000-memory.dmp
memory/4212-7-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/4212-5-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/4212-2-0x0000000000409000-0x0000000000422000-memory.dmp
memory/4212-0-0x0000000000400000-0x00000000006E1000-memory.dmp
memory/1152-18-0x00000000006F0000-0x000000000076E000-memory.dmp