Overview
overview
7Static
static
3RADMIR_LAU...1).exe
windows7-x64
7RADMIR_LAU...1).exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1RADMIR_LAUNCHER.exe
windows7-x64
7RADMIR_LAUNCHER.exe
windows10-2004-x64
7RADMIR_LAU...EX.exe
windows7-x64
7RADMIR_LAU...EX.exe
windows10-2004-x64
7api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
3api-ms-win...-0.dll
windows10-2004-x64
3api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
3api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
1api-ms-win...-0.dll
windows10-2004-x64
1api-ms-win...-0.dll
windows7-x64
3api-ms-win...-0.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
RADMIR_LAUNCHER (1).exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
RADMIR_LAUNCHER (1).exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
RADMIR_LAUNCHER.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
RADMIR_LAUNCHER.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
RADMIR_LAUNCHER_EX.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
RADMIR_LAUNCHER_EX.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
api-ms-win-core-console-l1-1-0.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
api-ms-win-core-console-l1-1-0.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
api-ms-win-core-datetime-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
api-ms-win-core-datetime-l1-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
api-ms-win-core-debug-l1-1-0.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
api-ms-win-core-debug-l1-1-0.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
api-ms-win-core-errorhandling-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
api-ms-win-core-errorhandling-l1-1-0.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
api-ms-win-core-file-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
api-ms-win-core-file-l1-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
api-ms-win-core-file-l1-2-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
api-ms-win-core-file-l1-2-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
api-ms-win-core-file-l2-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
api-ms-win-core-file-l2-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
api-ms-win-core-handle-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
api-ms-win-core-handle-l1-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
api-ms-win-core-heap-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
api-ms-win-core-heap-l1-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
api-ms-win-core-interlocked-l1-1-0.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral32
Sample
api-ms-win-core-interlocked-l1-1-0.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
RADMIR_LAUNCHER.exe
-
Size
136KB
-
MD5
f65724f439f3ac47153fdec32d5d58fb
-
SHA1
9c842169664f734426e8d0b87ed068e554ea11c4
-
SHA256
c3566150c632c7cae3b96de78f5e5d7a3b816ce1b9a013ef74b326bb75df84c9
-
SHA512
10d3bf90b1f291494031cea1b14a9c55d30c75856bbeb8975585896016cf83b0d895f3edd9d28bb8867406979bb0b2922a6e28f93feff5b5dbd98aa5435f4745
-
SSDEEP
3072:voLN5XpO8MjeE/u17JJSlZo7yFeRNCZ7+vWm9wY6n:vru17Jml8w5d
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2664 RADMIR_LAUNCHER_EX.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 2780 RADMIR_LAUNCHER_EX.exe 2812 RADMIR_LAUNCHER_EX.exe 2832 RADMIR_LAUNCHER_EX.exe 3056 RADMIR_LAUNCHER_EX.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe 1684 RADMIR_LAUNCHER.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2664 RADMIR_LAUNCHER_EX.exe 2664 RADMIR_LAUNCHER_EX.exe 2664 RADMIR_LAUNCHER_EX.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2664 RADMIR_LAUNCHER_EX.exe 2664 RADMIR_LAUNCHER_EX.exe 2664 RADMIR_LAUNCHER_EX.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 1684 wrote to memory of 2664 1684 RADMIR_LAUNCHER.exe 28 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2780 2664 RADMIR_LAUNCHER_EX.exe 29 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2812 2664 RADMIR_LAUNCHER_EX.exe 30 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 2832 2664 RADMIR_LAUNCHER_EX.exe 31 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32 PID 2664 wrote to memory of 3056 2664 RADMIR_LAUNCHER_EX.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=gpu-process --field-trial-handle=1168,17332992941762730157,4259380803242703262,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --no-sandbox --disable-gpu-rasterization --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --gpu-preferences=UAAAAAAAAADgAgAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1144 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1168,17332992941762730157,4259380803242703262,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=1304 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1168,17332992941762730157,4259380803242703262,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1488 /prefetch:13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe"C:\Users\Admin\AppData\Local\Temp\RADMIR_LAUNCHER_EX.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1168,17332992941762730157,4259380803242703262,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\radmir-launcher" --mojo-platform-channel-handle=1740 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5316e18e04a48fff12831cd0f75595199
SHA1eaaf658e8c0005762ecc553a525720bb64c2557b
SHA256b56e7557713cc0336f786051d5539fde2636cdb664e38bcc428b165e3cc43b49
SHA512af1a190c8f248fafb7e1f42d2b182357fe208426fba2d88ac44a2e0775f3041a4488bcbfc880e54d62c82da8e2bbffc40d6cf09f2c2521fbdbd2091066b34aa6
-
Filesize
1.5MB
MD5b4d2ccd58da3bd0dc0dbc1c27c2a7589
SHA10258dfa4fc07c88ef44b7db7d1ec2b9b68708efc
SHA25689ba5207ab38f4d97e576401839b2383fffc9363fbaf0e7ecaf8de6962467c17
SHA51236e48233c84013dd3369b64b750f2429e83d660b13f4fd2211531983901209765f66c7a5752a6e3e4983368bebf4ac9a02b9d15bedf3881a8fde6a1c2926dc13