General

  • Target

    ZeroLauncher.exe

  • Size

    19KB

  • Sample

    241004-fjt9psvgpn

  • MD5

    982e4ae4559538cfb529dfaff0507880

  • SHA1

    a3b0e3989d6e40792134286e40448004ebeda077

  • SHA256

    95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd

  • SHA512

    35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f

  • SSDEEP

    384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db

Malware Config

Targets

    • Target

      ZeroLauncher.exe

    • Size

      19KB

    • MD5

      982e4ae4559538cfb529dfaff0507880

    • SHA1

      a3b0e3989d6e40792134286e40448004ebeda077

    • SHA256

      95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd

    • SHA512

      35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f

    • SSDEEP

      384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db

    • Modifies security service

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks