Analysis
-
max time kernel
30s -
max time network
23s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-04-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
Unlimited_Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Unlimited_Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Unlimited_Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Unlimited_Crack.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Unlimited_Crack.exe
Resource
win11-20240412-en
General
-
Target
Unlimited_Crack.exe
-
Size
364KB
-
MD5
1b8fb8b2b74de6c36c0bf69a0d2f5664
-
SHA1
8ea83f1e865a9486b7d9a715728af845db23f63c
-
SHA256
6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e
-
SHA512
84dc5ec442558e21bc316dd0745c44d1b57be65c2d8b3326d3c42808977960249ccd9836d7f5fc7e8a17b8d27bf6ebb9671c4a5908f9a1c74c66397ef8859898
-
SSDEEP
6144:49iJkovicebiNJ0mL2lvArd15G1Yct56vTN19z7yY2lg7mlm1gWnOayBsBGaCv/u:NhaPbiNJFLSAp15Qdsj952ymlxWnjLIu
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 4300 created 3012 4300 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Unlimited_Crack.exedescription pid process target process PID 4404 set thread context of 4300 4404 Unlimited_Crack.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1632 4300 WerFault.exe RegAsm.exe 1892 4300 WerFault.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
taskmgr.exeRegAsm.exedialer.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 4300 RegAsm.exe 4300 RegAsm.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 3708 dialer.exe 3708 dialer.exe 3708 dialer.exe 3708 dialer.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1560 taskmgr.exe Token: SeSystemProfilePrivilege 1560 taskmgr.exe Token: SeCreateGlobalPrivilege 1560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
taskmgr.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
taskmgr.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Unlimited_Crack.exeRegAsm.exedescription pid process target process PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4404 wrote to memory of 4300 4404 Unlimited_Crack.exe RegAsm.exe PID 4300 wrote to memory of 3708 4300 RegAsm.exe dialer.exe PID 4300 wrote to memory of 3708 4300 RegAsm.exe dialer.exe PID 4300 wrote to memory of 3708 4300 RegAsm.exe dialer.exe PID 4300 wrote to memory of 3708 4300 RegAsm.exe dialer.exe PID 4300 wrote to memory of 3708 4300 RegAsm.exe dialer.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 5843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 6003⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3708-24-0x0000000000BE0000-0x0000000000BE9000-memory.dmpFilesize
36KB
-
memory/3708-34-0x0000000004A80000-0x0000000004E80000-memory.dmpFilesize
4.0MB
-
memory/3708-32-0x00007FFFD96C0000-0x00007FFFD989B000-memory.dmpFilesize
1.9MB
-
memory/3708-31-0x0000000074900000-0x0000000074AC2000-memory.dmpFilesize
1.8MB
-
memory/3708-30-0x0000000004A80000-0x0000000004E80000-memory.dmpFilesize
4.0MB
-
memory/3708-28-0x00007FFFD96C0000-0x00007FFFD989B000-memory.dmpFilesize
1.9MB
-
memory/3708-26-0x0000000004A80000-0x0000000004E80000-memory.dmpFilesize
4.0MB
-
memory/3708-27-0x0000000004A80000-0x0000000004E80000-memory.dmpFilesize
4.0MB
-
memory/4300-11-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4300-7-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4300-20-0x00007FFFD96C0000-0x00007FFFD989B000-memory.dmpFilesize
1.9MB
-
memory/4300-21-0x0000000003A40000-0x0000000003E40000-memory.dmpFilesize
4.0MB
-
memory/4300-23-0x0000000074900000-0x0000000074AC2000-memory.dmpFilesize
1.8MB
-
memory/4300-18-0x0000000003A40000-0x0000000003E40000-memory.dmpFilesize
4.0MB
-
memory/4300-17-0x0000000003A40000-0x0000000003E40000-memory.dmpFilesize
4.0MB
-
memory/4300-33-0x0000000003A40000-0x0000000003E40000-memory.dmpFilesize
4.0MB
-
memory/4300-4-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4300-19-0x0000000003A40000-0x0000000003E40000-memory.dmpFilesize
4.0MB
-
memory/4404-9-0x0000000073ED0000-0x00000000745BE000-memory.dmpFilesize
6.9MB
-
memory/4404-0-0x0000000000E10000-0x0000000000E72000-memory.dmpFilesize
392KB
-
memory/4404-10-0x00000000033B0000-0x00000000053B0000-memory.dmpFilesize
32.0MB
-
memory/4404-1-0x0000000073ED0000-0x00000000745BE000-memory.dmpFilesize
6.9MB
-
memory/4404-35-0x00000000033B0000-0x00000000053B0000-memory.dmpFilesize
32.0MB