Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
RubixLauncher.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
RubixLauncher.exe
Resource
win10v2004-20240611-en
General
-
Target
RubixLauncher.exe
-
Size
355KB
-
MD5
8a6f1580a5b9b94d7cd47cc6b1af1b9a
-
SHA1
e68768afd59e18091d345cb300e859572e8d4c5c
-
SHA256
bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
-
SHA512
1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309
-
SSDEEP
6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqhsb:gf2R/EEkCQFYDwRqW
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RubixLauncher.exedescription pid process target process PID 3808 created 3048 3808 RubixLauncher.exe sihost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RubixLauncher.exedialer.exepid process 3808 RubixLauncher.exe 3808 RubixLauncher.exe 3208 dialer.exe 3208 dialer.exe 3208 dialer.exe 3208 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
RubixLauncher.exedescription pid process target process PID 3808 wrote to memory of 3208 3808 RubixLauncher.exe dialer.exe PID 3808 wrote to memory of 3208 3808 RubixLauncher.exe dialer.exe PID 3808 wrote to memory of 3208 3808 RubixLauncher.exe dialer.exe PID 3808 wrote to memory of 3208 3808 RubixLauncher.exe dialer.exe PID 3808 wrote to memory of 3208 3808 RubixLauncher.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RubixLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RubixLauncher.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3208-16-0x00000000769D0000-0x0000000076BE5000-memory.dmpFilesize
2.1MB
-
memory/3208-15-0x0000000002770000-0x0000000002B70000-memory.dmpFilesize
4.0MB
-
memory/3208-12-0x00007FF801F30000-0x00007FF802125000-memory.dmpFilesize
2.0MB
-
memory/3208-17-0x0000000002770000-0x0000000002B70000-memory.dmpFilesize
4.0MB
-
memory/3208-14-0x0000000002770000-0x0000000002B70000-memory.dmpFilesize
4.0MB
-
memory/3208-8-0x0000000000C50000-0x0000000000C59000-memory.dmpFilesize
36KB
-
memory/3208-10-0x0000000002770000-0x0000000002B70000-memory.dmpFilesize
4.0MB
-
memory/3808-1-0x0000000003FF0000-0x00000000043F0000-memory.dmpFilesize
4.0MB
-
memory/3808-7-0x00000000769D0000-0x0000000076BE5000-memory.dmpFilesize
2.1MB
-
memory/3808-0-0x0000000000EC0000-0x0000000000F2D000-memory.dmpFilesize
436KB
-
memory/3808-11-0x0000000000EC0000-0x0000000000F2D000-memory.dmpFilesize
436KB
-
memory/3808-5-0x0000000003FF0000-0x00000000043F0000-memory.dmpFilesize
4.0MB
-
memory/3808-4-0x00007FF801F30000-0x00007FF802125000-memory.dmpFilesize
2.0MB
-
memory/3808-3-0x0000000003FF0000-0x00000000043F0000-memory.dmpFilesize
4.0MB
-
memory/3808-2-0x0000000003FF0000-0x00000000043F0000-memory.dmpFilesize
4.0MB