Analysis
-
max time kernel
36s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
Unlimited_Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Unlimited_Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Unlimited_Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Unlimited_Crack.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Unlimited_Crack.exe
Resource
win11-20240412-en
General
-
Target
Unlimited_Crack.exe
-
Size
364KB
-
MD5
1b8fb8b2b74de6c36c0bf69a0d2f5664
-
SHA1
8ea83f1e865a9486b7d9a715728af845db23f63c
-
SHA256
6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e
-
SHA512
84dc5ec442558e21bc316dd0745c44d1b57be65c2d8b3326d3c42808977960249ccd9836d7f5fc7e8a17b8d27bf6ebb9671c4a5908f9a1c74c66397ef8859898
-
SSDEEP
6144:49iJkovicebiNJ0mL2lvArd15G1Yct56vTN19z7yY2lg7mlm1gWnOayBsBGaCv/u:NhaPbiNJFLSAp15Qdsj952ymlxWnjLIu
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 656 created 2420 656 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Unlimited_Crack.exedescription pid process target process PID 2876 set thread context of 656 2876 Unlimited_Crack.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2024 656 WerFault.exe RegAsm.exe 5028 656 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 656 RegAsm.exe 656 RegAsm.exe 4192 dialer.exe 4192 dialer.exe 4192 dialer.exe 4192 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Unlimited_Crack.exeRegAsm.exedescription pid process target process PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 2876 wrote to memory of 656 2876 Unlimited_Crack.exe RegAsm.exe PID 656 wrote to memory of 4192 656 RegAsm.exe dialer.exe PID 656 wrote to memory of 4192 656 RegAsm.exe dialer.exe PID 656 wrote to memory of 4192 656 RegAsm.exe dialer.exe PID 656 wrote to memory of 4192 656 RegAsm.exe dialer.exe PID 656 wrote to memory of 4192 656 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 5883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 656 -ip 6561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 656 -ip 6561⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-15-0x00007FF98FED0000-0x00007FF9900C5000-memory.dmpFilesize
2.0MB
-
memory/656-4-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/656-27-0x0000000003A50000-0x0000000003E50000-memory.dmpFilesize
4.0MB
-
memory/656-18-0x0000000077750000-0x0000000077965000-memory.dmpFilesize
2.1MB
-
memory/656-16-0x0000000003A50000-0x0000000003E50000-memory.dmpFilesize
4.0MB
-
memory/656-10-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/656-11-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/656-12-0x0000000003A50000-0x0000000003E50000-memory.dmpFilesize
4.0MB
-
memory/656-13-0x0000000003A50000-0x0000000003E50000-memory.dmpFilesize
4.0MB
-
memory/656-14-0x0000000003A50000-0x0000000003E50000-memory.dmpFilesize
4.0MB
-
memory/2876-8-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/2876-1-0x00000000008D0000-0x0000000000932000-memory.dmpFilesize
392KB
-
memory/2876-6-0x0000000002D10000-0x0000000004D10000-memory.dmpFilesize
32.0MB
-
memory/2876-0-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/4192-19-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/4192-21-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/4192-22-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/4192-23-0x00007FF98FED0000-0x00007FF9900C5000-memory.dmpFilesize
2.0MB
-
memory/4192-25-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/4192-26-0x0000000077750000-0x0000000077965000-memory.dmpFilesize
2.1MB
-
memory/4192-28-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB