Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 19:53
Behavioral task
behavioral1
Sample
Leonardo_Al/LeonardoAl_Setup.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Leonardo_Al/LeonardoAl_Setup.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
Leonardo_Al/Update_Leo.pdf
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Leonardo_Al/Update_Leo.pdf
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Leonardo_Al/g2m.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Leonardo_Al/g2m.dll
Resource
win10v2004-20240226-en
General
-
Target
Leonardo_Al/g2m.dll
-
Size
130.0MB
-
MD5
0722be7f0411d54e95107a11836c6e03
-
SHA1
b39f9247119b18fc9c846f73c810f426015b964b
-
SHA256
8814bdaaf5c686485ef864c25e2524e662dcfc37a393b0d8faa8d74a556df4b3
-
SHA512
0116217df19b9cc76c0301a7838fb08221a71696d9dc4c82895faae67d8495bd63b4b61d2fa0c8a3a76311faac3d85f2a95b16c8a47ade3e428102769323d13b
-
SSDEEP
786432:fUP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp:fUP7GCG64Srkx1hSzYsHQD3t/R
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4864 created 2608 4864 regsvr32.exe sihost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1296 4864 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
regsvr32.exedialer.exepid process 4864 regsvr32.exe 4864 regsvr32.exe 4864 regsvr32.exe 4864 regsvr32.exe 4204 dialer.exe 4204 dialer.exe 4204 dialer.exe 4204 dialer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2944 wrote to memory of 4864 2944 regsvr32.exe regsvr32.exe PID 2944 wrote to memory of 4864 2944 regsvr32.exe regsvr32.exe PID 2944 wrote to memory of 4864 2944 regsvr32.exe regsvr32.exe PID 4864 wrote to memory of 4204 4864 regsvr32.exe dialer.exe PID 4864 wrote to memory of 4204 4864 regsvr32.exe dialer.exe PID 4864 wrote to memory of 4204 4864 regsvr32.exe dialer.exe PID 4864 wrote to memory of 4204 4864 regsvr32.exe dialer.exe PID 4864 wrote to memory of 4204 4864 regsvr32.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2608
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8923⤵
- Program crash
PID:1296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4864 -ip 48641⤵PID:4020