Resubmissions
27-03-2024 17:10
240327-vp3klabh7y 1027-03-2024 17:07
240327-vnfdnsbh4w 327-03-2024 17:03
240327-vknwmsbg61 10Analysis
-
max time kernel
37s -
max time network
33s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-03-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
launcher.exe
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win11-20240221-en
General
-
Target
SKRIPTGG-FIVEM-main/Skript.rar
-
Size
4.6MB
-
MD5
5ca1a9888343fce41dc19ee85d5728c6
-
SHA1
004851b9a5327782dfffc773c7d352c3de6fa341
-
SHA256
26ce31dad5149454c39376256c88397b1a2e6c4e8f66b42cbce9f2cd904132cc
-
SHA512
3d0b20640da4695b3a2c70e39269dd6a48777c97e451385c8aebc876a5db430744d594118f217185cb4816d6e9c12f7c254deccad8652b710fbb9f5a83a5bf46
-
SSDEEP
98304:xI/GiwtepY3UjkkABs7ieskoAPS1tgX3Fr1gnzWMbz4Y:xqlpY3UtA+GePS1tuunzWtY
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid Process procid_target PID 2132 created 3056 2132 svchost.exe 49 -
Executes dropped EXE 6 IoCs
Processes:
launcher.exeexplorer.exesvchost.exeexplorer.exeexplorer.exeexplorer.exepid Process 1504 launcher.exe 3512 explorer.exe 2132 svchost.exe 4632 explorer.exe 3364 explorer.exe 5020 explorer.exe -
Loads dropped DLL 14 IoCs
Processes:
explorer.exeexplorer.exepid Process 4632 explorer.exe 4632 explorer.exe 4632 explorer.exe 4632 explorer.exe 4632 explorer.exe 4632 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe 5020 explorer.exe -
Processes:
resource yara_rule behavioral3/files/0x000100000002a760-43.dat upx behavioral3/memory/4632-63-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx behavioral3/files/0x000100000002a75c-62.dat upx behavioral3/files/0x000100000002a75b-61.dat upx behavioral3/files/0x000100000002a75a-60.dat upx behavioral3/files/0x000100000002a759-59.dat upx behavioral3/files/0x000100000002a757-58.dat upx behavioral3/files/0x000100000002a762-57.dat upx behavioral3/files/0x000100000002a761-56.dat upx behavioral3/files/0x000100000002a75e-55.dat upx behavioral3/files/0x000100000002a75f-54.dat upx behavioral3/files/0x000100000002a758-52.dat upx behavioral3/memory/4632-72-0x00007FFC93DF0000-0x00007FFC93E08000-memory.dmp upx behavioral3/memory/4632-73-0x00007FFC93DC0000-0x00007FFC93DEC000-memory.dmp upx behavioral3/memory/4632-75-0x00007FFC96C40000-0x00007FFC96C64000-memory.dmp upx behavioral3/memory/4632-71-0x00007FFC98F10000-0x00007FFC98F1F000-memory.dmp upx behavioral3/memory/4632-91-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx behavioral3/memory/5020-118-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx behavioral3/memory/5020-137-0x00007FFC98F10000-0x00007FFC98F28000-memory.dmp upx behavioral3/memory/5020-138-0x00007FFC96C30000-0x00007FFC96C5C000-memory.dmp upx behavioral3/memory/5020-139-0x00007FFC99070000-0x00007FFC9907D000-memory.dmp upx behavioral3/memory/5020-140-0x00007FFC96760000-0x00007FFC96779000-memory.dmp upx behavioral3/memory/5020-134-0x00007FFC96C60000-0x00007FFC96C84000-memory.dmp upx behavioral3/memory/5020-123-0x00007FFC99080000-0x00007FFC9908F000-memory.dmp upx behavioral3/memory/5020-169-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx behavioral3/memory/5020-188-0x00007FFC96C60000-0x00007FFC96C84000-memory.dmp upx behavioral3/memory/5020-189-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx behavioral3/memory/5020-196-0x00007FFC933F0000-0x00007FFC93856000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" explorer.exe -
Detects Pyinstaller 3 IoCs
Processes:
resource yara_rule behavioral3/files/0x000100000002a753-13.dat pyinstaller behavioral3/files/0x000100000002a753-24.dat pyinstaller behavioral3/files/0x000100000002a753-16.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1388 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
7zFM.exepowershell.exesvchost.exedialer.exepid Process 1476 7zFM.exe 1476 7zFM.exe 640 powershell.exe 640 powershell.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 2132 svchost.exe 2132 svchost.exe 1476 7zFM.exe 1476 7zFM.exe 4948 dialer.exe 4948 dialer.exe 4948 dialer.exe 4948 dialer.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe 1476 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 1476 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zFM.exepowershell.exetaskkill.exedescription pid Process Token: SeRestorePrivilege 1476 7zFM.exe Token: 35 1476 7zFM.exe Token: SeSecurityPrivilege 1476 7zFM.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 1388 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 1476 7zFM.exe 1476 7zFM.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
cmd.exe7zFM.exelauncher.exeexplorer.exeexplorer.execmd.exeexplorer.exeexplorer.exesvchost.exedescription pid Process procid_target PID 2324 wrote to memory of 1476 2324 cmd.exe 77 PID 2324 wrote to memory of 1476 2324 cmd.exe 77 PID 1476 wrote to memory of 1504 1476 7zFM.exe 80 PID 1476 wrote to memory of 1504 1476 7zFM.exe 80 PID 1476 wrote to memory of 1504 1476 7zFM.exe 80 PID 1504 wrote to memory of 640 1504 launcher.exe 81 PID 1504 wrote to memory of 640 1504 launcher.exe 81 PID 1504 wrote to memory of 640 1504 launcher.exe 81 PID 1504 wrote to memory of 3512 1504 launcher.exe 83 PID 1504 wrote to memory of 3512 1504 launcher.exe 83 PID 1504 wrote to memory of 2132 1504 launcher.exe 84 PID 1504 wrote to memory of 2132 1504 launcher.exe 84 PID 1504 wrote to memory of 2132 1504 launcher.exe 84 PID 3512 wrote to memory of 4632 3512 explorer.exe 85 PID 3512 wrote to memory of 4632 3512 explorer.exe 85 PID 4632 wrote to memory of 4936 4632 explorer.exe 86 PID 4632 wrote to memory of 4936 4632 explorer.exe 86 PID 4936 wrote to memory of 1388 4936 cmd.exe 88 PID 4936 wrote to memory of 1388 4936 cmd.exe 88 PID 4936 wrote to memory of 3364 4936 cmd.exe 91 PID 4936 wrote to memory of 3364 4936 cmd.exe 91 PID 3364 wrote to memory of 5020 3364 explorer.exe 92 PID 3364 wrote to memory of 5020 3364 explorer.exe 92 PID 5020 wrote to memory of 4912 5020 explorer.exe 93 PID 5020 wrote to memory of 4912 5020 explorer.exe 93 PID 2132 wrote to memory of 4948 2132 svchost.exe 95 PID 2132 wrote to memory of 4948 2132 svchost.exe 95 PID 2132 wrote to memory of 4948 2132 svchost.exe 95 PID 2132 wrote to memory of 4948 2132 svchost.exe 95 PID 2132 wrote to memory of 4948 2132 svchost.exe 95
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3056
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SKRIPTGG-FIVEM-main\Skript.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe"C:\Users\Admin\AppData\Local\Temp\7zO4C5FB887\launcher.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat6⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\taskkill.exetaskkill /f /im "explorer.exe"7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Users\Admin\explorer.exe"explorer.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\explorer.exe"explorer.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"9⤵PID:4912
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD5620024df612c13a4a33cf785384c2086
SHA1a6ae999723bea18c6d3acf2c52ed682f6226b7be
SHA256cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1
SHA51234d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5f6e387f20808828796e876682a328e98
SHA16679ae43b0634ac706218996bac961bef4138a02
SHA2568886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
105KB
MD52030438e4f397a7d4241a701a3ca2419
SHA128b8d06135cd1f784ccabda39432cc83ba22daf7
SHA25607d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad
-
Filesize
35KB
MD513f99120a244ab62af1684fbbc5d5a7e
SHA15147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA25611658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA51246c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d
-
Filesize
85KB
MD57c66f33a67fbb4d99041f085ef3c6428
SHA1e1384891df177b45b889459c503985b113e754a3
SHA25632f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d
-
Filesize
42KB
MD50dd957099cf15d172d0a343886fb7c66
SHA1950f7f15c6accffac699c5db6ce475365821b92a
SHA2568142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA5123dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee
-
Filesize
859KB
MD5483d9675ef53a13327e7dfc7d09f23fe
SHA12378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA25670c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.4MB
MD5aba4fcf0d72b487887f315202bc43ae4
SHA1de51440c742c58f52f3b7cc2a1fcda5abd3d1ca8
SHA2568f312c17c2a525ac9bc0838e4d9f69db5bb20478ffa4880fb3a8b98caf0e25ef
SHA512fed41d5eb4a61c43bb3032c0d0b3d347d6b89a06d2928155f2e0baa59295ae71d3e689c3c78a584f2db64fd5ab3a06578623a8d41d7055b535c4d2317aef2bf9
-
Filesize
3.6MB
MD51c58166821c2996a57c7c5cc94afcc6a
SHA1a518cb16ba7eebedd6aa66e6e45a910426727444
SHA256d36b123038a2d40fcf6fca7ba2a5b20648e0b82b3b65759109d53f4bb430bc89
SHA51244f337db1b4e32247ba4aee5f1d6ff764be8a056fff1871f7f1b2ed452317b071291d436c68266572e1b61236ea195d7e217ab87e63bf23cb5343c50e5bc8058
-
Filesize
4.2MB
MD51790216d83f58292e218f047c003963e
SHA1d6b4af9866f7e099d1db2acbdcb2dbf3e8ce1d1f
SHA2563ecb40da9e5660dba9a9ee702215d62c77143e9c5eeee09e241631b20453ba85
SHA512b34de3972c8813838fab8925738a53a896e57cdabcec6faa59f4f8811ac50ca49c2888c855c3a62645dbdecb2951bb25b7b6f0735347afc60481c978d6dff096
-
Filesize
355KB
MD58a6f1580a5b9b94d7cd47cc6b1af1b9a
SHA1e68768afd59e18091d345cb300e859572e8d4c5c
SHA256bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
SHA5121663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309
-
Filesize
91B
MD5fbcbd43fa00e29f002495e4ab2dc4782
SHA175aad7a3fa21226bf37ff89da953743d2b650dc0
SHA2567a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648
SHA5124f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e