Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 16:35
Behavioral task
behavioral1
Sample
Launcher4.exe
Resource
win7-20231129-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Launcher4.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
Launcher4.exe
-
Size
715.8MB
-
MD5
d2d31ee6465d2de3659494732edae87f
-
SHA1
962e006c9fcf03a4ec834ab2e8506f924a787819
-
SHA256
43302fd5ef74a7c1e9c4e2c899b3828851502b64917d77be603243c741a42043
-
SHA512
ca5b3a8c740bc564fcb3f5a19e4d203ce51f314f9ef88c6809f79a1bd52d17aa3f6d6f4deaba2f962d6023d445adbdfb7d54be46451d187fcf50c9baeecf6db5
-
SSDEEP
6144:TXmSsdKbgJvF/zdzImDFtJnyf5BtY8NIFPQc0GLNaLXXFxL7SJ7Hr75zPgsCy0/X:NYKgR/FOftuSGwF57G9P6yvIYl9b2
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4252-0-0x0000000000120000-0x00000000001A8000-memory.dmp family_zgrat_v1 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 4940 created 2552 4940 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Launcher4.exedescription pid process target process PID 4252 set thread context of 4940 4252 Launcher4.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4332 4940 WerFault.exe RegAsm.exe 2964 4940 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 4940 RegAsm.exe 4940 RegAsm.exe 720 dialer.exe 720 dialer.exe 720 dialer.exe 720 dialer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Launcher4.exeRegAsm.exedescription pid process target process PID 4252 wrote to memory of 3224 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3224 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3224 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3048 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3048 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3048 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3856 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3856 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 3856 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4252 wrote to memory of 4940 4252 Launcher4.exe RegAsm.exe PID 4940 wrote to memory of 720 4940 RegAsm.exe dialer.exe PID 4940 wrote to memory of 720 4940 RegAsm.exe dialer.exe PID 4940 wrote to memory of 720 4940 RegAsm.exe dialer.exe PID 4940 wrote to memory of 720 4940 RegAsm.exe dialer.exe PID 4940 wrote to memory of 720 4940 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 6403⤵
- Program crash
PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 6603⤵
- Program crash
PID:2964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4940 -ip 49401⤵PID:3804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 49401⤵PID:1008