18fb1efac7a965e3be1b7c090324e291fcdaba65ec213619d245aa4aa54387ba

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RADMIR_LAUNCHER_EX.exe
Size

117.7MB
MD5

340708e6beaf93b5293a244a5ecf4c08
SHA1

c4706273975fcf86eb9ae5ac6acf74e206a18a32
SHA256

8d718d2364663c95c50fab10c5b01cf9c05c2af1685ddc64ba826d92f08223a2
SHA512

be1da0839dd938dabac817b80ac0236b969cbcd9e25c0926b832d8bfcb0061c9e304f45cc1db384a467ef7a1f296a93786a7faccf2e5009a263f0e1bc39042b0
SSDEEP

1572864:jcNi9c9Bd2PSGAv7AtHQzOxD7BwSbfri0UmJ4hA5elULguvg/x5kk3A4sqACQoa8:LiTaM/kt4lda5l2vWmeY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RADMIR_LAUNCHER_EX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RADMIR_LAUNCHER_EX.exe

Loads dropped DLL 1 IoCs

pid	Process
5048	RADMIR_LAUNCHER_EX.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3088	RADMIR_LAUNCHER_EX.exe
3088	RADMIR_LAUNCHER_EX.exe
2320	RADMIR_LAUNCHER_EX.exe
2320	RADMIR_LAUNCHER_EX.exe
2188	RADMIR_LAUNCHER_EX.exe
2188	RADMIR_LAUNCHER_EX.exe
1616	RADMIR_LAUNCHER_EX.exe
1616	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2900	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe
5048	RADMIR_LAUNCHER_EX.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3088	5048	RADMIR_LAUNCHER_EX.exe	89
PID 5048 wrote to memory of 3088	5048	RADMIR_LAUNCHER_EX.exe	89
PID 5048 wrote to memory of 3088	5048	RADMIR_LAUNCHER_EX.exe	89
PID 5048 wrote to memory of 2320	5048	RADMIR_LAUNCHER_EX.exe	90
PID 5048 wrote to memory of 2320	5048	RADMIR_LAUNCHER_EX.exe	90
PID 5048 wrote to memory of 2320	5048	RADMIR_LAUNCHER_EX.exe	90
PID 5048 wrote to memory of 2188	5048	RADMIR_LAUNCHER_EX.exe	91
PID 5048 wrote to memory of 2188	5048	RADMIR_LAUNCHER_EX.exe	91
PID 5048 wrote to memory of 2188	5048	RADMIR_LAUNCHER_EX.exe	91
PID 5048 wrote to memory of 1616	5048	RADMIR_LAUNCHER_EX.exe	92
PID 5048 wrote to memory of 1616	5048	RADMIR_LAUNCHER_EX.exe	92
PID 5048 wrote to memory of 1616	5048	RADMIR_LAUNCHER_EX.exe	92

C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
  "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=gpu-process --field-trial-handle=1824,2478310535388069143,6719640691637765106,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --no-sandbox --disable-gpu-rasterization --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --gpu-preferences=UAAAAAAAAADgAgAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
  "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,2478310535388069143,6719640691637765106,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
  "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1824,2478310535388069143,6719640691637765106,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe
  "C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1824,2478310535388069143,6719640691637765106,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03787cc5-51ff-468d-b1b9-eb03d64a4a3d.tmp.node

Filesize
5.2MB

MD5
b36ba8b6dc9744af6ee873551de6159b

SHA1
3011d7c729ed149643f2b25a3617e195f32eef31

SHA256
ef692dfac556750d189237b11dcc8bdf0641dba39985f4e1a5b68aa36b63d7dd

SHA512
6a93612dd5c86994bb3c7aacd4130a3f2fe084dfe91bc7ce1f73d22afd57ce3bd70c84f53b7b4f1dd3ad47a0ff9b714f9619d6e20b78d518a0ac50e42b192979

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\2024-01-28 14-10-23.log

Filesize
4KB

MD5
06fdbed1daac18d36fee6fa3ea568516

SHA1
8893f622f7463de38c1c445a09664452312d84b3

SHA256
d4100001eaeff6668a3ff5fecc475fdc2eb77a9a672c859c37f11756a6748496

SHA512
8cccc407e77ce128af9c0baaef329ed1f7328db949314c3f5ff008076fae1232e780ccceca74c380e1073c8e0034b009aecb299ae17a170188de3b556d1293fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\radmir-launcher\Network Persistent State

Filesize
393B

MD5
56f297ed509b745fdf69bbf93c6d0e69

SHA1
f30d02f55b925b62574c5642ba411b30c39ff39e

SHA256
baa29898ca8039e5c93a5b5373c583badc717e45c57640e02768f5fc7494bfaa

SHA512
43109aa18f6258207ebe7beb32d927419bf4f4ef6062d42d975315e87b5712d6bb7ae9a2bfb97f0c35cedc37248d6fab9f325fe87caf0ff3ea9ba2a37a93fdc8

Download Submit
C:\Users\Admin\AppData\Roaming\radmir-launcher\Network Persistent State~RFe5883f0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit