Analysis
-
max time kernel
137s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 13:55
Behavioral task
behavioral1
Sample
seraph.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
seraph.exe
Resource
win10v2004-20240508-en
General
-
Target
seraph.exe
-
Size
11.7MB
-
MD5
2e4d00592b163c33d400fb746c749eec
-
SHA1
ec8efe476d98e3c4b1ee519e1eef0ee9e65a5674
-
SHA256
d480627b254295b07317884c0bd938602852587b43dcd47f28402abc50b68c11
-
SHA512
bfd2f4b423f42e32f7d2c956268772221f5952177e5e24814aa0e40589dcbc1c9f872159ec7371488acc81d6cdacd491a577b77eeff9d2ebae9c6afe4950ea2f
-
SSDEEP
196608:nuDem/D9onJ5hrZERdW3q+09iq2pPefB2WZufOuD9LaKyPgVFccckLQu8HGviMfr:Cemb9c5hlERblh2pW2WmfDZhkULljD
Malware Config
Signatures
-
Loads dropped DLL 24 IoCs
Processes:
seraph.exepid process 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe 1800 seraph.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
seraph.exepid process 1800 seraph.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
seraph.exedescription pid process Token: SeDebugPrivilege 1800 seraph.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
seraph.exeseraph.execmd.exedescription pid process target process PID 1824 wrote to memory of 1800 1824 seraph.exe seraph.exe PID 1824 wrote to memory of 1800 1824 seraph.exe seraph.exe PID 1800 wrote to memory of 2128 1800 seraph.exe cmd.exe PID 1800 wrote to memory of 2128 1800 seraph.exe cmd.exe PID 2128 wrote to memory of 3972 2128 cmd.exe mode.com PID 2128 wrote to memory of 3972 2128 cmd.exe mode.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\seraph.exe"C:\Users\Admin\AppData\Local\Temp\seraph.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\seraph.exe"C:\Users\Admin\AppData\Local\Temp\seraph.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls & title [Seraph Nuker] - Loading & mode 69,203⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\mode.commode 69,204⤵PID:3972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\VCRUNTIME140.dllFilesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_asyncio.pydFilesize
62KB
MD58cf9a316051bfc50f6dc343128b9c4e0
SHA13659ba74d2bc5b7d7ee806b95af71ec4dec76c13
SHA256f934719bea056a98446e786de88cda8f76afe9a29e67121950b17caafc2799c8
SHA512ad0e1fbf6744ae6d58768301e5ddc93eb2bf24f33bc49588097a03af915d51b296d815a36d9eefd671701289802075b1c850e8a5f4f453a81f0d53b28e65d6ae
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_bz2.pydFilesize
84KB
MD5b89b6c064cd8241ae12addb7f376cab2
SHA129e86a1df404c442e14344042d39a98dd15425f7
SHA2560563df6e938b836f817c49e0cf9828cc251b2092a84273152ea5a7c537c03beb
SHA512f87b1c6d90cfb01316a17ad37f27287d5ef4ff3a0f7fd25303203ea7c7fa1ed12c1aef486dc9bbb8b4d527f37e771b950fa5142b2bac01f52afbfdbf7a77111d
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_ctypes.pydFilesize
123KB
MD54d13a7b3ecc8c7dc96a0424c465d7251
SHA10c72f7259ac9108d956aede40b6fcdf3a3943cb5
SHA2562995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed
SHA51268ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_hashlib.pydFilesize
45KB
MD5496cde3c381c8e33186354631dfad0f1
SHA1cbdb280ecb54469fd1987b9eff666d519e20249f
SHA256f9548e3b71764ac99efb988e4daac249e300eb629c58d2a341b753299180c679
SHA512f7245eb24f2b6d8bc22f876d6abb90e77db46bf0e5ab367f2e02e4ca936c898a5a14d843235adc5502f6d74715da0b93d86222e8dec592ae41ab59d56432bf4f
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_lzma.pydFilesize
158KB
MD56e396653552d446c8114e98e5e195d09
SHA1c1f760617f7f640d6f84074d6d5218d5a338a6ec
SHA2565ddba137db772b61d4765c45b6156b2ee33a1771ddd52dd55b0ef592535785cf
SHA512c4bf2c4c51350b9142da3faeadf72f94994e614f9e43e3c2a1675aa128c6e7f1212fd388a71124971648488bb718ca9b66452e5d0d0b840a0979df7146ed7ae5
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_overlapped.pydFilesize
44KB
MD5724c5f1347a77318bdfa4942a71ffdfd
SHA1a284eeca1d336e9148de2a69d3728971b6cfa43e
SHA25603ef0f32653e78901649b3207340c914786e0455369412ca160d76f553f81faa
SHA51221463a489524eae93c4b734a56e07096a5620e48946d6c459e0ac5e451bf397130f022e4c5d8e26a5a9880d250a5d7ee0e4f508d66a174efb08d870c62a2d497
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_pytransform.dllFilesize
1.1MB
MD5162e5724a65dddefc7693d91a204aaab
SHA1e24633d374dfc5380493f66e3c18d6077dbfa601
SHA256c964712a4d27bccfa2378972f6cc10384ca7bd336a66df7b8d00904070a158ea
SHA5124ec50140dbffe3234a34d44700376ec271ef1ae9d46c14d75ad0e63fd688cb40a12a1e7714bb6ef1987fae9eaa954c403a87b2af706e70e2cfabea5877fef1c0
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_queue.pydFilesize
27KB
MD51707a6aeeb0278ee445e86ee4354c86c
SHA150c30823b1dc995a03f5989c774d6541e5eaaef9
SHA256dd8c39ff48de02f3f74256a61bf3d9d7e411c051dd4205ca51446b909458f0cd
SHA512404b99b8c70de1d5e6a4f747df44f514a4b6480b6c30b468f35e9e0257fd75c1a480641bc88180f6eb50f0bd96bdcafb65bb25364c0757a6e601090ae5989838
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_socket.pydFilesize
77KB
MD5eb974aeda30d7478bb800bb4c5fbc0a2
SHA1c5b7bc326bd003d42bcf620d657cac3f46f9d566
SHA2561db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016
SHA512f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\_ssl.pydFilesize
150KB
MD5fefbb91866778278460e16e44cfb8151
SHA153890f03a999078b70b921b104df198f2f481a7c
SHA2568a10b301294a35bc3a96a59ca434a628753a13d26de7c7cb51d37cf96c3bdbb5
SHA512449b5f0c089626db1824ebe405b97a67b073ea7ce22cee72aa3b2490136b3b6218e9f15d71da6fd32fba090255d3a0ba0e77a36c1f8b8bea45f6be95a91e388d
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\base_library.zipFilesize
768KB
MD583892d53f470482ea0096abe9b568de6
SHA1c3ff63b58f05908b8a018c021532839080bca0fc
SHA2562b5a96134fda4439a4f9b4ba1ac9298ee431a7a0deda69caa859dd7f0ab60b61
SHA512bff745508fb925cd386936fa1c79be4a7444319078ea10175ca2f04868165dde27576bf09414ea3291772f07adb41f2c126f884607f2046cbde801745c666196
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\certifi\cacert.pemFilesize
257KB
MD51ba3b44f73a6b25711063ea5232f4883
SHA11b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA5120dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\libcrypto-1_1.dllFilesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\libssl-1_1.dllFilesize
673KB
MD5bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\multidict\_multidict.cp38-win_amd64.pydFilesize
43KB
MD54d07e807a855be02a94c292dc66cb379
SHA12d8d742a1179627f1fd702430c3ee106b72988aa
SHA2566ccb02ca328a9df23d5f5c7ce58fbf7b9f84474c801230c6c42eab171ed83744
SHA5121576744a545abc7158525ec0e0e7930a7ed14016ce4d3ea157261e6be204a5e490937387718fe9b444f0d5ccfff866cd3426c1481ec31e293f59928d097895d1
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\psutil\_psutil_windows.cp38-win_amd64.pydFilesize
76KB
MD581467ae2ccfd303b3ae249b271d02393
SHA1025316c0ffd42bb6085731596b5e5cf36a2ee400
SHA256b8dfb9df359c67334c017a8bdcad257e4ed5ef1637761acf40d19c4df040f8e1
SHA5123d4f02a97298d894e351514c9d719730b7de4baace38fcf395275bdde399158d35d10533a5ae762c24b748594e64109112a8d88f1b76b15beb2af47bc7db272e
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\python38.dllFilesize
4.0MB
MD53cd1e87aeb3d0037d52c8e51030e1084
SHA149ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af
SHA25613f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8
SHA512497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\pythoncom38.dllFilesize
559KB
MD55aaf39c3dc5d37ee70d0f8faa0de695e
SHA169b7cc9c612af39ee1dabdfb6e84c81a22d08c10
SHA256b53b1372b4f48a5bee76b6354823a6f8e9a9b7b8b3cc25119258451d032261f7
SHA512236decda868dcfa617d538a2876a06d0e40ce6889f1284d92d9d1e3c3d16f31aadac269d6ab9266fda6afcc8b691cb462bd747bb8f21f98e44eecf11014fc9a5
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\pywintypes38.dllFilesize
139KB
MD54e2d48b0e2bc0d1b0a61be486b865fdd
SHA195fb013f66c28578dbe9db06e93e6085828a7324
SHA256bff7b09303260eaf01ba73687d979ce6d1d50458426686bea7b01dea5db446d4
SHA512d5aa94805bf97b51ba986c60e1401608bc547f1fed0e07f25f6b3ca2bf86167002830aa18c74cb68cf6f51aa60912036678a276971af56754753a1f01ac8d13f
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\select.pydFilesize
26KB
MD508b499ae297c5579ba05ea87c31aff5b
SHA14a1a9f1bf41c284e9c5a822f7d018f8edc461422
SHA256940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281
SHA512ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\unicodedata.pydFilesize
1.0MB
MD584fb421643cab316ce623aa84395a950
SHA14fba083864b3811b8a09644d559186ecb347c387
SHA2565578c3054f8846be86e686fb73b62b1f931d3ed1a7859b87925a96774371dba4
SHA512a2132f93b0e4292dc9c32da2a6478769ec4f58be5c36ee2701e2a66154ea1dc2c0684fc7698e7c3ac04f5c1d366cb9633a9366e5a38b7ff7a964ff25ea266f9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\win32api.pydFilesize
131KB
MD587a1f5111634f5531efccfdd931b4d42
SHA10401252123d36f932870cdeabe5d75db9d432ffa
SHA2569a562e6431427c52d213c17af815c82ee704ab9fced76837647cc1838126d96f
SHA512a15080f2cca0dae4925d0ac246966c433ea8847502c880ec784102de3bc1daf949eafe34ac9916bb7b072a7d86ab7da7f55ffb31d9cb4673067a42049ae7bf4f
-
C:\Users\Admin\AppData\Local\Temp\_MEI18242\yarl\_quoting_c.cp38-win_amd64.pydFilesize
82KB
MD55e21f62dac88940f71ac4565f638d9ab
SHA1413514697329983802a0901025b9ea07a56e6a1d
SHA256ab58b179ebf608f205b78cbd818680e002fba9f7fe5d3996f2321778e1293e37
SHA512399efde2a81db7cd432f29dbc5c601b9496fce53d9bde59ea3bb0d33cce18857d620d15d2a003eae837e6374d6e501080ce69010f3d59670aebf648abf36f07a
-
memory/1800-115-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-87-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-117-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-121-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-113-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-111-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-109-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-107-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-105-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-103-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-101-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-99-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-97-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-95-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-93-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-91-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-89-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-119-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-85-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-83-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-81-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-79-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-77-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-75-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-73-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-71-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-70-0x0000024A59670000-0x0000024A59671000-memory.dmpFilesize
4KB
-
memory/1800-123-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-125-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-127-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-131-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-133-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB
-
memory/1800-129-0x0000024A59680000-0x0000024A59681000-memory.dmpFilesize
4KB