Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 19:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
g2m.dll
Resource
win7-20240319-en
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
g2m.dll
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
g2m.dll
-
Size
130.0MB
-
MD5
0722be7f0411d54e95107a11836c6e03
-
SHA1
b39f9247119b18fc9c846f73c810f426015b964b
-
SHA256
8814bdaaf5c686485ef864c25e2524e662dcfc37a393b0d8faa8d74a556df4b3
-
SHA512
0116217df19b9cc76c0301a7838fb08221a71696d9dc4c82895faae67d8495bd63b4b61d2fa0c8a3a76311faac3d85f2a95b16c8a47ade3e428102769323d13b
-
SSDEEP
786432:fUP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp:fUP7GCG64Srkx1hSzYsHQD3t/R
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1380 created 2484 1380 regsvr32.exe sihost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 1380 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
regsvr32.exedialer.exepid process 1380 regsvr32.exe 1380 regsvr32.exe 1380 regsvr32.exe 1380 regsvr32.exe 4776 dialer.exe 4776 dialer.exe 4776 dialer.exe 4776 dialer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4660 wrote to memory of 1380 4660 regsvr32.exe regsvr32.exe PID 4660 wrote to memory of 1380 4660 regsvr32.exe regsvr32.exe PID 4660 wrote to memory of 1380 4660 regsvr32.exe regsvr32.exe PID 1380 wrote to memory of 4776 1380 regsvr32.exe dialer.exe PID 1380 wrote to memory of 4776 1380 regsvr32.exe dialer.exe PID 1380 wrote to memory of 4776 1380 regsvr32.exe dialer.exe PID 1380 wrote to memory of 4776 1380 regsvr32.exe dialer.exe PID 1380 wrote to memory of 4776 1380 regsvr32.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\g2m.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 8963⤵
- Program crash
PID:2604
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1380 -ip 13801⤵PID:3184