Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-06-2024 04:52
General
-
Target
2024-06-19_35a4093aa84921340790cd2cca6828d0_magniber_revil.exe
-
Size
70.9MB
-
MD5
35a4093aa84921340790cd2cca6828d0
-
SHA1
ffab58b5e16e2bbfe75287b14f329c9bbd4fa790
-
SHA256
1652f43525a84c6f33fd69ba45433bdf24bd90deb283dfcf326077fdaa8b8154
-
SHA512
1d7378005d099fc38c1cdf3c6b75e153e5ef442509bc92cc01b5f4fe696ce971d73b72b45ad7821f400c9377a29854760b67d46364b3e432c853eba4868ade49
-
SSDEEP
1572864:cdABF0N/9dWHC2iHtBkb6DhFXrFHYi3qw+ietvQ19oDL9S:M9TzSI
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\2024-06-19_35a4093aa84921340790cd2cca6828d0_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_35a4093aa84921340790cd2cca6828d0_magniber_revil.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 4402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 4362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 372 -ip 3721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 372 -ip 3721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-1-0x000000000044D000-0x0000000000467000-memory.dmpFilesize
104KB
-
memory/372-3-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/372-2-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/372-6-0x0000000004E20000-0x0000000004E24000-memory.dmpFilesize
16KB
-
memory/372-9-0x0000000004F50000-0x0000000004F69000-memory.dmpFilesize
100KB
-
memory/372-8-0x0000000004F50000-0x0000000004F69000-memory.dmpFilesize
100KB
-
memory/372-7-0x0000000004E20000-0x0000000004E24000-memory.dmpFilesize
16KB
-
memory/372-5-0x0000000004E10000-0x0000000004E17000-memory.dmpFilesize
28KB
-
memory/372-4-0x0000000004E10000-0x0000000004E17000-memory.dmpFilesize
28KB
-
memory/372-0-0x0000000000400000-0x0000000004DF4000-memory.dmpFilesize
74.0MB
-
memory/372-11-0x0000000007DD0000-0x00000000081D0000-memory.dmpFilesize
4.0MB
-
memory/372-10-0x0000000007DD0000-0x00000000081D0000-memory.dmpFilesize
4.0MB
-
memory/372-12-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmpFilesize
2.0MB
-
memory/372-14-0x00000000756C0000-0x00000000758D5000-memory.dmpFilesize
2.1MB
-
memory/1784-15-0x0000000000C20000-0x0000000000C29000-memory.dmpFilesize
36KB
-
memory/1784-17-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/1784-20-0x00000000756C0000-0x00000000758D5000-memory.dmpFilesize
2.1MB
-
memory/1784-18-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmpFilesize
2.0MB
-
memory/1784-22-0x0000000002760000-0x000000000276F000-memory.dmpFilesize
60KB
-
memory/1784-21-0x000000000276F000-0x0000000002B60000-memory.dmpFilesize
3.9MB