Analysis Overview
SHA256
232a8606f4d7885ad9cb2f57955513d675ed62cb5628c965eb91b61fe2c9f249
Threat Level: Known bad
The file 232a8606f4d7885ad9cb2f57955513d675ed62cb5628c965eb91b61fe2c9f249 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Redline family
RedLine
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
Detect rhadamanthys stealer shellcode
Loads dropped DLL
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:13
Reported
2024-11-04 13:16
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1868 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1868 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1868 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1868 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe
"C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgAwAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9ii9pjl0v4awm4ciltxmu.ef2rladegyuudeh88cbnkuvm0n | udp |
Files
memory/2276-2-0x0000000073B31000-0x0000000073B32000-memory.dmp
memory/2276-3-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/2276-6-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/2276-5-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/2276-4-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/2276-7-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/2276-8-0x0000000073B30000-0x00000000740DB000-memory.dmp
memory/1868-9-0x0000000002CC0000-0x0000000002E0C000-memory.dmp
memory/1868-11-0x0000000002CC0000-0x0000000002E0C000-memory.dmp
memory/1868-12-0x000000000C720000-0x000000000C879000-memory.dmp
memory/1868-13-0x000000000C720000-0x000000000C879000-memory.dmp
memory/1868-14-0x0000000002CC0000-0x0000000002E0C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 13:13
Reported
2024-11-04 13:16
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
147s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4280 created 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\system32\taskhostw.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4280 set thread context of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fontview.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe
"C:\Users\Admin\AppData\Local\Temp\8c1f6cb3d4124612705c2b607a07de101ac025a9a969fe4f8076361d63ddd0d4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgAwAA==
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 972
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9ii9pjl0v4awm4ciltxmu.ef2rladegyuudeh88cbnkuvm0n | udp |
| DE | 5.75.172.247:11969 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| DE | 5.75.172.247:11969 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 5.75.172.247:11969 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 5.75.172.247:11969 | tcp | |
| DE | 5.75.172.247:11969 | tcp |
Files
memory/2312-0-0x0000000073FEE000-0x0000000073FEF000-memory.dmp
memory/2312-1-0x0000000002E90000-0x0000000002EC6000-memory.dmp
memory/2312-2-0x0000000005630000-0x0000000005C58000-memory.dmp
memory/2312-3-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/2312-4-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/2312-5-0x0000000005CD0000-0x0000000005CF2000-memory.dmp
memory/2312-7-0x0000000005DE0000-0x0000000005E46000-memory.dmp
memory/2312-6-0x0000000005D70000-0x0000000005DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmdqm50x.trl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2312-17-0x0000000005E50000-0x00000000061A4000-memory.dmp
memory/2312-18-0x0000000006440000-0x000000000645E000-memory.dmp
memory/2312-19-0x00000000067E0000-0x000000000682C000-memory.dmp
memory/2312-20-0x0000000007AC0000-0x000000000813A000-memory.dmp
memory/2312-21-0x0000000006960000-0x000000000697A000-memory.dmp
memory/2312-22-0x0000000073FEE000-0x0000000073FEF000-memory.dmp
memory/2312-23-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/2312-27-0x0000000073FE0000-0x0000000074790000-memory.dmp
memory/4280-30-0x0000000003130000-0x0000000003287000-memory.dmp
memory/4280-31-0x000000000CD60000-0x000000000CEB9000-memory.dmp
memory/4280-32-0x000000000CD60000-0x000000000CEB9000-memory.dmp
memory/3308-33-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3308-35-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3308-36-0x000000007396E000-0x000000007396F000-memory.dmp
memory/3308-37-0x0000000005340000-0x0000000005958000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\241164281.dll
| MD5 | 2303afbb371daf8ea5b5a4e231773781 |
| SHA1 | a0956adc94c9cce4a2aeb399328accde1b1326c6 |
| SHA256 | efdb9aa53580c9f3a8200e1a401d1c63c9e3a29a046857f6b89be0a64c2a1a31 |
| SHA512 | 9aab7c7b55d507f28e688c5b8a41811069efb8d35bfbd92de0ffd86e1ceca2e5e681b5c85d51abd139a19f9c48f7a14c5b7e4b7ed540bd5d4a574c7d34d5857f |
memory/3308-42-0x0000000004EC0000-0x0000000004FCA000-memory.dmp
memory/3308-43-0x0000000004DF0000-0x0000000004E02000-memory.dmp
memory/3308-44-0x0000000004E50000-0x0000000004E8C000-memory.dmp
memory/2872-45-0x0000000000600000-0x0000000000633000-memory.dmp
memory/3308-47-0x0000000004FD0000-0x000000000501C000-memory.dmp
memory/4280-48-0x0000000003130000-0x0000000003287000-memory.dmp
memory/4280-49-0x000000000CD60000-0x000000000CEB9000-memory.dmp
memory/3308-50-0x000000007396E000-0x000000007396F000-memory.dmp
memory/2872-52-0x00000000021D0000-0x00000000021EC000-memory.dmp
memory/2872-53-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/2872-54-0x00000000021D0000-0x00000000021EC000-memory.dmp
memory/2872-55-0x0000000000600000-0x0000000000633000-memory.dmp