Overview

overview

10

Static

static

3

Reaper.zip

windows10-2004-x64

1

Reaper/Rea...er.exe

windows10-2004-x64

3

Reaper/Rea...ts.dll

windows10-2004-x64

1

Reaper/Rea...er.exe

windows10-2004-x64

10

Reaper/Rea...config

windows10-2004-x64

3

Reaper/Rea...bot.js

windows10-2004-x64

1

Reaper/Rea... v2.js

windows10-2004-x64

1

Reaper/Rea...y 2.js

windows10-2004-x64

1

Reaper/Rea...or.dll

windows10-2004-x64

1

Resubmissions

20-04-2024 17:13

240420-vrrwwadh2z 10

12-03-2024 21:36

240312-1f3f5adc57 10

10-03-2024 04:41

240310-fbmjwscd28 10

10-03-2024 04:40

240310-fan2bscc93 10

10-03-2024 04:38

240310-e9wd1scc82 10

09-03-2024 07:38

240309-jghpnsdh88 10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Reaper/Reaper/Bin/FpsUnlocker.exe

  • Size

    488KB

  • MD5

    52f46ced3b06b19eac3369fbdb4ee2ee

  • SHA1

    1bc549fa770b1bf3925248a3853a87af9948381f

  • SHA256

    d0685e397486bd9f54eda33133e87e3970dedf5038ef0e4d058de34d796d72ac

  • SHA512

    d65a7f73a497e18d0123306c3e940cdd5b22f61ad88fcd9a334c95bab0db665a8e61d11c9c78a656cbfdd7a691e782351fa712aa97c6f38f1d641ae91e3d23af

  • SSDEEP

    6144:9nsLTb6hU1R1IDT3nn/b10WyIZUdA8CQ3mAg0y0Noh+p9NWRzbX:6TbgrDT3n/b6qiA8CQqvYogp/6

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Bin\FpsUnlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Bin\FpsUnlocker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/axstin/rbxfpsunlocker/releases
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8bfa46f8,0x7ffc8bfa4708,0x7ffc8bfa4718
        3⤵
          PID:4532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
          3⤵
            PID:2132
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2888
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
            3⤵
              PID:4920
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
              3⤵
                PID:924
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                3⤵
                  PID:3008
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
                  3⤵
                    PID:976
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3184
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                    3⤵
                      PID:3276
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                      3⤵
                        PID:4796
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
                        3⤵
                          PID:2724
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
                          3⤵
                            PID:1812
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15119833561687164649,10416863357320963592,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5472
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3932
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3276

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Discovery

                          System Information Discovery

                          2
                          T1082

                          Query Registry

                          1
                          T1012

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
                            Filesize

                            1KB

                            MD5

                            894e7aefbaee349dce6e9338952cfd5a

                            SHA1

                            bde7382775a58d52500690eb787c595dc93c2571

                            SHA256

                            ff815a815416aa5102f3c60611a250cfb01e7b70074e7eb8936da1f8173ba206

                            SHA512

                            031dbc977f2e7cbad425e990acd501e33845a8aa0afe0053602df604a09316fdcf8b61227fb5b14bae57e4b1c490228a764d933286d8d4716a76b3e3f7ec56b5

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C38AC6B0EBDA4044A36E2ADF650F8E22
                            Filesize

                            282B

                            MD5

                            876fb259e72be7dab4e277922af26eda

                            SHA1

                            32b773eb9704fcacbd077ed364eb7070cec67944

                            SHA256

                            9ae283e94e326af81b21214a7d6555565261cd706dc5cd4eeba69c7e469c779f

                            SHA512

                            55a841564b82885eab6637e106e3af08f9fa214d16fcab27e508e9c5a1fa828e92b28ebe2b54775168d26bbaa62a5d741f16466eda21970e6c76ec803825d0ee

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
                            Filesize

                            978B

                            MD5

                            f673bb24776fa92c66fb2240e87cdadc

                            SHA1

                            691a68eed7f8c906cf544d50718528ba5692e3c9

                            SHA256

                            2a03ddae1a42ec425421269bebbb0696da38478bb57e4e6da78dd50e356bb120

                            SHA512

                            80e0226042d4ee280ce0241b15ff9af4e5e935397579890ce9891518dee0a04925b8ebc639251dd68f93ee73c4f37be5fd498824dfd1b1c8ef7dda698c0fbec5

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
                            Filesize

                            482B

                            MD5

                            043072e52f688bc897050d2d1dc951d0

                            SHA1

                            92fd40d141b4b5a1a5e6b2e16bed736b89384020

                            SHA256

                            2558350c7ce5d55dbd9bc63c82a62955ec3f0716d4db833aa6c37345980e38fb

                            SHA512

                            9184a50f2f860c1313d62ca37e92bec4b2b78c4236bd7985e878dd8d31ec1d374d65bdc3596496a3ce81030a2c7e13a2168e1011a0d47d00ad8c5c7bd1764a47

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C38AC6B0EBDA4044A36E2ADF650F8E22
                            Filesize

                            484B

                            MD5

                            f95eae4ece0e1803b021ae0765884d47

                            SHA1

                            1629724928035fb2e4bc3a8998299bffaba07809

                            SHA256

                            44e23d164e3ed3b62b6ce8384ab938ab8b01249b7f4a41a9bcb044f6ef64fd8b

                            SHA512

                            c7b9cffb6266f2c45a274b26426dde5e5baf9724bb2b4b3744a55047c6e3b3c73f490f64765fc2b3376db390e97de40b576bcaf31de887db684a9f41422a9e66

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
                            Filesize

                            480B

                            MD5

                            f96f703b2e7a84e66297245105c99ba9

                            SHA1

                            555ac8aaf30acc89d33562a0083db96aa57ad5d4

                            SHA256

                            97c138d439f4fe3e3803fbf43c725a2fbdc870c632ef6e5a59a80da60edaba2e

                            SHA512

                            8eab9da5aafe1ebe4adb88ef8eb905ac4c78fc1cf4cdaba7c340e6b04e85f11f001f5748a9d56967563b3bbaf7115c8994aa494d69cf853ca6220dcce5609959

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            a774512b00820b61a51258335097b2c9

                            SHA1

                            38c28d1ea3907a1af6c0443255ab610dd9285095

                            SHA256

                            01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

                            SHA512

                            ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            fd7944a4ff1be37517983ffaf5700b11

                            SHA1

                            c4287796d78e00969af85b7e16a2d04230961240

                            SHA256

                            b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

                            SHA512

                            28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            1KB

                            MD5

                            d44ec2761488689a4a3fac14a4bc8f8a

                            SHA1

                            06f28a56cf8cb81f1821c538ebd7a00fc4179d43

                            SHA256

                            d84ba61658fcaad924f17483d9a339492f89f632220aceae74f1798ff7a4d717

                            SHA512

                            e35a0e09c0429e0cf966a5bac7cf8927ec0e53fb090f17b333639b2aa7039ef22cdbf331b2f256623c192c40a6f6fc17e9be2f321de20bbea119ec34b1741681

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            496B

                            MD5

                            aadae93b8d636d034aee972c3635d7b5

                            SHA1

                            d8c1119ed585b5403056f37515b98d32d3275ab9

                            SHA256

                            baf498aa585a836559bfdfeba511aa8392d8fac7d57e594062dbad9bbd5c8327

                            SHA512

                            0a27888dc32f54cf0f1dff75e1f38813c60a0e0d04c16eb2f0a6bd898455f31f0008aa550b1e36f342527d777e71d9ef3e7e88788366f6b64cfdf8ece6e7bd81

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            68bcd2e396e43f19cfdf0df034af3dd7

                            SHA1

                            e79151bf608ce47ac76b5f034c85280957e2f436

                            SHA256

                            29556cf7fbc47c5fb6fb7fee02cf4c9d43319d946e4d536107ff7153e2719505

                            SHA512

                            96a244e63d617ae46403f6d9a3c57a771e4039c97aed714aaa7f50da116b0f976b4cf39e15af8de972bb96bfd024f6edb1bfae810781f19b86e1617d26037928

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            12865ce5631fd2ccc4ed934ab20dd75a

                            SHA1

                            e8acc396a6359aeeca9bb0c3a1bf8ddfbdb7484b

                            SHA256

                            9f11b10d4d10800e35dc4c302382d17efe78d15ea880d09878211d1a26ca9966

                            SHA512

                            2bf41897335de0e234e2e5112745b0a428137ea53c4bee6a5be0c3ed0df278adc72aab1410f3770603bf58e5d4d580e50af2babca8baff201b7bbf7417b9fd1a

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            685bfd969bf2888eac2127a9fd2ea2b0

                            SHA1

                            a06d46606343de769992ef3dacb8dfb2f7018351

                            SHA256

                            b32a6d99bdfb0236d702b5519d9401728e5ebc28d3624ff453e7e103795b4319

                            SHA512

                            04948595ce3ea658e5b633fdeced6a293e5eb8bd40a3efb9829c196d9c1e93638160a8e82f679fa67127e2b1eab39a7066c2157e8598161aa1b02a72902019e0

                            Download Submit
                          • \??\pipe\LOCAL\crashpad_2804_UBHSZAABBPZUSLWD
                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            Download Submit