Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 14:05

General

  • Target

    RADMIR_LAUNCHER_EX.exe

  • Size

    117.7MB

  • MD5

    340708e6beaf93b5293a244a5ecf4c08

  • SHA1

    c4706273975fcf86eb9ae5ac6acf74e206a18a32

  • SHA256

    8d718d2364663c95c50fab10c5b01cf9c05c2af1685ddc64ba826d92f08223a2

  • SHA512

    be1da0839dd938dabac817b80ac0236b969cbcd9e25c0926b832d8bfcb0061c9e304f45cc1db384a467ef7a1f296a93786a7faccf2e5009a263f0e1bc39042b0

  • SSDEEP

    1572864:jcNi9c9Bd2PSGAv7AtHQzOxD7BwSbfri0UmJ4hA5elULguvg/x5kk3A4sqACQoa8:LiTaM/kt4lda5l2vWmeY

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
    "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
      "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=gpu-process --field-trial-handle=1188,10549671551766625409,10600157042006517092,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --no-sandbox --disable-gpu-rasterization --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --gpu-preferences=UAAAAAAAAADgAgAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1160 /prefetch:2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
      "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1188,10549671551766625409,10600157042006517092,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=1328 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
      "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1188,10549671551766625409,10600157042006517092,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1520 /prefetch:1
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      PID:2848
    • C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
      "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1188,10549671551766625409,10600157042006517092,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=1764 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\logs\2024-01-28 14-10-18.log

    Filesize

    4KB

    MD5

    bdc047df92cac475efbb4d71571b0238

    SHA1

    5f49819f96fcd38537414554f238265420064cf6

    SHA256

    5a57cc7b5daef7694d641eb27d2db53a64cd8113674420f8ad514e4a579ffe9e

    SHA512

    0c4858bb750a92e6f6acf6667e087607cab1dcc118a0bda89d8bc970c3a82266aa91ca3efdc69da4837125232d2c85cc5161d712d7d25a3b52bf2dd01e1677ed

  • C:\Users\Admin\AppData\Local\Temp\logs\2024-01-28 14-10-18.log

    Filesize

    761B

    MD5

    3cd18b84ff943a0f3156bc646df07fa4

    SHA1

    271ac442e591934ba02ff33932706cb5efece4d4

    SHA256

    a967fec8590b505a4815504bf91f73ceccd9d8ee99c56c3228750ece630f21d9

    SHA512

    a7a8a1943e20de63e4f5c6bce87e9c2d51c7f2155d8d7887a936ca72b02caca451546765e67f80f97d2cdf1778ba2c82bfd0c6a630c027477db7c8c943b3ea42

  • \Users\Admin\AppData\Local\Temp\abb578f2-d0a6-4d55-b7d6-0bf3b919ebcc.tmp.node

    Filesize

    2.3MB

    MD5

    178a4b506d9d492dd2f14345e67bda1d

    SHA1

    b71a8ffa3a447579f22e543719ba0279d5b4d010

    SHA256

    672e868bc7fdb5bec2720a1061c51eb1e50155b9f727911720608e38eff7508e

    SHA512

    c7187678f71813eee565ae77eb95bbdcd61e9683d90b0db6e2e60f939e0ece06f6b4ee28dd6b0a98008b55a1eeda944fac8847e3685b7def66a3cfc667ee99b9