Overview
overview
10Static
static
3SKRIPTGG-F...in.zip
windows7-x64
1SKRIPTGG-F...in.zip
windows10-2004-x64
1SKRIPTGG-F...DME.md
windows7-x64
3SKRIPTGG-F...DME.md
windows10-2004-x64
3SKRIPTGG-F...pt.rar
windows7-x64
10SKRIPTGG-F...pt.rar
windows10-2004-x64
7launcher.exe
windows7-x64
10launcher.exe
windows10-2004-x64
10SKRIPTGG-F...se.dll
windows7-x64
1SKRIPTGG-F...se.dll
windows10-2004-x64
1Resubmissions
27-03-2024 17:10
240327-vp3klabh7y 1027-03-2024 17:07
240327-vnfdnsbh4w 327-03-2024 17:03
240327-vknwmsbg61 10Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
launcher.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
launcher.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win10v2004-20240226-en
General
-
Target
launcher.exe
-
Size
4.7MB
-
MD5
620024df612c13a4a33cf785384c2086
-
SHA1
a6ae999723bea18c6d3acf2c52ed682f6226b7be
-
SHA256
cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1
-
SHA512
34d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd
-
SSDEEP
98304:HqZRVmbr2CkyPqPnowAWTbNJ2EyT2QT27JaSGKN/3pJ:QVs6ysoDEUvwJEKdZJ
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid Process procid_target PID 1948 created 2644 1948 svchost.exe 45 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
launcher.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation launcher.exe -
Executes dropped EXE 5 IoCs
Processes:
explorer.exesvchost.exeexplorer.exeexplorer.exeexplorer.exepid Process 3164 explorer.exe 1948 svchost.exe 2468 explorer.exe 960 explorer.exe 2436 explorer.exe -
Loads dropped DLL 14 IoCs
Processes:
explorer.exeexplorer.exepid Process 2468 explorer.exe 2468 explorer.exe 2468 explorer.exe 2468 explorer.exe 2468 explorer.exe 2468 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe 2436 explorer.exe -
Processes:
resource yara_rule behavioral8/files/0x0007000000023231-33.dat upx behavioral8/memory/2468-39-0x00007FFB42C40000-0x00007FFB430A6000-memory.dmp upx behavioral8/memory/2468-46-0x00007FFB57920000-0x00007FFB5792F000-memory.dmp upx behavioral8/files/0x0007000000023230-45.dat upx behavioral8/files/0x0007000000023228-55.dat upx behavioral8/files/0x000700000002322c-56.dat upx behavioral8/memory/2468-65-0x00007FFB52300000-0x00007FFB5232C000-memory.dmp upx behavioral8/memory/2468-64-0x00007FFB52BB0000-0x00007FFB52BD4000-memory.dmp upx behavioral8/memory/2468-67-0x00007FFB524A0000-0x00007FFB524B8000-memory.dmp upx behavioral8/files/0x000700000002322d-54.dat upx behavioral8/files/0x000700000002322b-52.dat upx behavioral8/files/0x000700000002322a-51.dat upx behavioral8/files/0x0007000000023233-49.dat upx behavioral8/files/0x0007000000023232-48.dat upx behavioral8/files/0x000700000002322f-47.dat upx behavioral8/files/0x0007000000023229-43.dat upx behavioral8/memory/2468-82-0x00007FFB42C40000-0x00007FFB430A6000-memory.dmp upx behavioral8/memory/2436-110-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-124-0x00007FFB52300000-0x00007FFB52324000-memory.dmp upx behavioral8/memory/2436-129-0x00007FFB57920000-0x00007FFB5792F000-memory.dmp upx behavioral8/memory/2436-130-0x00007FFB52030000-0x00007FFB5205C000-memory.dmp upx behavioral8/memory/2436-131-0x00007FFB52280000-0x00007FFB52299000-memory.dmp upx behavioral8/memory/2436-133-0x00007FFB524A0000-0x00007FFB524B8000-memory.dmp upx behavioral8/memory/2436-132-0x00007FFB55E60000-0x00007FFB55E6D000-memory.dmp upx behavioral8/memory/2436-179-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-180-0x00007FFB52300000-0x00007FFB52324000-memory.dmp upx behavioral8/memory/2436-181-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-188-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-195-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-202-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-209-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-216-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-223-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx behavioral8/memory/2436-230-0x00007FFB425D0000-0x00007FFB42A36000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" explorer.exe -
Detects Pyinstaller 4 IoCs
Processes:
resource yara_rule behavioral8/files/0x000b0000000231a8-4.dat pyinstaller behavioral8/files/0x000b0000000231a8-8.dat pyinstaller behavioral8/files/0x000b0000000231a8-6.dat pyinstaller behavioral8/files/0x0007000000023234-89.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 5000 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exesvchost.exedialer.exepid Process 860 powershell.exe 860 powershell.exe 1948 svchost.exe 1948 svchost.exe 4704 dialer.exe 4704 dialer.exe 4704 dialer.exe 4704 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 5000 taskkill.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
launcher.exeexplorer.exeexplorer.execmd.exeexplorer.exeexplorer.exesvchost.exedescription pid Process procid_target PID 4524 wrote to memory of 860 4524 launcher.exe 88 PID 4524 wrote to memory of 860 4524 launcher.exe 88 PID 4524 wrote to memory of 860 4524 launcher.exe 88 PID 4524 wrote to memory of 3164 4524 launcher.exe 90 PID 4524 wrote to memory of 3164 4524 launcher.exe 90 PID 4524 wrote to memory of 1948 4524 launcher.exe 91 PID 4524 wrote to memory of 1948 4524 launcher.exe 91 PID 4524 wrote to memory of 1948 4524 launcher.exe 91 PID 3164 wrote to memory of 2468 3164 explorer.exe 92 PID 3164 wrote to memory of 2468 3164 explorer.exe 92 PID 2468 wrote to memory of 4716 2468 explorer.exe 93 PID 2468 wrote to memory of 4716 2468 explorer.exe 93 PID 4716 wrote to memory of 5000 4716 cmd.exe 95 PID 4716 wrote to memory of 5000 4716 cmd.exe 95 PID 4716 wrote to memory of 960 4716 cmd.exe 97 PID 4716 wrote to memory of 960 4716 cmd.exe 97 PID 960 wrote to memory of 2436 960 explorer.exe 98 PID 960 wrote to memory of 2436 960 explorer.exe 98 PID 2436 wrote to memory of 4996 2436 explorer.exe 99 PID 2436 wrote to memory of 4996 2436 explorer.exe 99 PID 1948 wrote to memory of 4704 1948 svchost.exe 102 PID 1948 wrote to memory of 4704 1948 svchost.exe 102 PID 1948 wrote to memory of 4704 1948 svchost.exe 102 PID 1948 wrote to memory of 4704 1948 svchost.exe 102 PID 1948 wrote to memory of 4704 1948 svchost.exe 102
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat4⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\taskkill.exetaskkill /f /im "explorer.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\explorer.exe"explorer.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\explorer.exe"explorer.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"7⤵PID:4996
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5f6e387f20808828796e876682a328e98
SHA16679ae43b0634ac706218996bac961bef4138a02
SHA2568886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
105KB
MD52030438e4f397a7d4241a701a3ca2419
SHA128b8d06135cd1f784ccabda39432cc83ba22daf7
SHA25607d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad
-
Filesize
35KB
MD513f99120a244ab62af1684fbbc5d5a7e
SHA15147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA25611658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA51246c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d
-
Filesize
85KB
MD57c66f33a67fbb4d99041f085ef3c6428
SHA1e1384891df177b45b889459c503985b113e754a3
SHA25632f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d
-
Filesize
42KB
MD50dd957099cf15d172d0a343886fb7c66
SHA1950f7f15c6accffac699c5db6ce475365821b92a
SHA2568142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA5123dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee
-
Filesize
859KB
MD5483d9675ef53a13327e7dfc7d09f23fe
SHA12378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA25670c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.7MB
MD5b1cd4255918f2a302887de1e58126383
SHA10947714b92643aa2bebd1cbac26d5fdc86697f46
SHA256b8a367358370c9c18bd6c087f22c09aeeab7397b213ad018d806cf8809661ee0
SHA51221010a00837ecc628131a323fa15c6c80caeac3354699e464275f7733838a7ac246913fec5a883ca982f122db887e2b1a37e215504331191fa2f3a289787f2be
-
Filesize
4.4MB
MD5aba4fcf0d72b487887f315202bc43ae4
SHA1de51440c742c58f52f3b7cc2a1fcda5abd3d1ca8
SHA2568f312c17c2a525ac9bc0838e4d9f69db5bb20478ffa4880fb3a8b98caf0e25ef
SHA512fed41d5eb4a61c43bb3032c0d0b3d347d6b89a06d2928155f2e0baa59295ae71d3e689c3c78a584f2db64fd5ab3a06578623a8d41d7055b535c4d2317aef2bf9
-
Filesize
128KB
MD50f4b9db69366bd9037bff0d0cf978653
SHA1f0db205aeca85397e1cd43878c17669807bc415b
SHA256b1d3d00c08943b444488fcbd0629e80e8bc672999e7641f21d97d33e8c2368d3
SHA5120790531a77384b3323b3f39ecc2536bfc388eac8479518b269b8b46370a55b9dd274cdcb69f3f595e02f80663fa7b7f67b405f1c99a0d38a3250d88340335000
-
Filesize
64KB
MD50068757fd0eafb983b261b644e988105
SHA146179b631b0232994b518990606c96abeb40daf7
SHA256e380212dc52414a7345bf47c365e2f2b12114e31625591e894eac1a4526b0119
SHA5122b71e7249cfb3dbe565f2845e9e70df7106a7d49059dc7c0b24e77a4bb42642750e91f0d8a12ee318976bb9bc124f2dda41cb6cf8cc4a3230f6af422db17b449
-
Filesize
355KB
MD58a6f1580a5b9b94d7cd47cc6b1af1b9a
SHA1e68768afd59e18091d345cb300e859572e8d4c5c
SHA256bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
SHA5121663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309
-
Filesize
91B
MD5fbcbd43fa00e29f002495e4ab2dc4782
SHA175aad7a3fa21226bf37ff89da953743d2b650dc0
SHA2567a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648
SHA5124f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e
-
Filesize
320KB
MD5329f3a2afc0d1aa4181a9dfae3e229b6
SHA1e3674ec352b466650c8b1482d4b7bee560167fa9
SHA2566730cfbcbcbc3dbf8e51357eaf73998f39f9cec525e9338a203ef346ecb71203
SHA5120ebee905dc8f3ee32b8e88b4b1d71de801f5b486264b810f3201d51f338a4b69316cb8febbfa90ddda35292de84b8da9a6c0c1a746c4cc94517f5365da9d8d50