Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 16:41
Behavioral task
behavioral1
Sample
Launcher6.exe
Resource
win7-20240221-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Launcher6.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
Launcher6.exe
-
Size
522KB
-
MD5
019fbd8634db0f2b0ed63311956a72cf
-
SHA1
54af4f9d712ac5131d07fd29523a21fe970d93ab
-
SHA256
6265ca0426b503618b3b48a5a423cb3d4798ab1208e8716aab8d5cee2cab9196
-
SHA512
15be568f5f01caf9a0c12c43e32f1104397652619d306cd82ae28326bfe391664c98fd5c48e624736ab38c33c27d92b1678849acd7877b3555336b48a4383e1e
-
SSDEEP
6144:TXmSsdKbgJvF/zdzImDFtJnyf5BtY8NIFPQc0GLNaLXXFxL7SJ7Hr75zPgsCy0/X:NYKgR/FOftuSGwF57G9P6yvIYl9b2
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4628-0-0x0000000000D40000-0x0000000000DC8000-memory.dmp family_zgrat_v1 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 2248 created 2832 2248 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Launcher6.exedescription pid process target process PID 4628 set thread context of 2248 4628 Launcher6.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3772 2248 WerFault.exe RegAsm.exe 1528 2248 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 2248 RegAsm.exe 2248 RegAsm.exe 2376 dialer.exe 2376 dialer.exe 2376 dialer.exe 2376 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Launcher6.exeRegAsm.exedescription pid process target process PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 4628 wrote to memory of 2248 4628 Launcher6.exe RegAsm.exe PID 2248 wrote to memory of 2376 2248 RegAsm.exe dialer.exe PID 2248 wrote to memory of 2376 2248 RegAsm.exe dialer.exe PID 2248 wrote to memory of 2376 2248 RegAsm.exe dialer.exe PID 2248 wrote to memory of 2376 2248 RegAsm.exe dialer.exe PID 2248 wrote to memory of 2376 2248 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2832
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\Launcher6.exe"C:\Users\Admin\AppData\Local\Temp\Launcher6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 5923⤵
- Program crash
PID:3772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 5883⤵
- Program crash
PID:1528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 22481⤵PID:4172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2248 -ip 22481⤵PID:3524