Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
360s -
max time network
368s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/08/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
RapeLay_BIa-QZ1.exe
Resource
win11-20240802-en
General
-
Target
RapeLay_BIa-QZ1.exe
-
Size
13.8MB
-
MD5
f3f16a12cdaf4e3fe51bece5dff8970f
-
SHA1
e4bb36e12d8f566617f940c32764870e052a89b7
-
SHA256
f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
-
SHA512
5b5837ee05f3a16c645613c5e0462b6d81d6e1dc183156b790e42cd8348fa6b391bdc84de43131cba4c568aba2be308d6e3020c829df0f11d44fd923f8cd827f
-
SSDEEP
393216:MBBTeN30LpEiSCC9XSpIFwah3RuINhkU9he:ktwkLps9Xhrhhuahk7
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\AVAST Software\Avast RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\AVG\AV\Dir RapeLay_BIa-QZ1.tmp -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: qbittorrent.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2488 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 1468 RapeLay_BIa-QZ1.tmp 3212 qbittorrent.exe -
Loads dropped DLL 1 IoCs
pid Process 1468 RapeLay_BIa-QZ1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RapeLay_BIa-QZ1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RapeLay_BIa-QZ1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qbittorrent.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RapeLay_BIa-QZ1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ RapeLay_BIa-QZ1.tmp -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3212 qbittorrent.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp 1468 RapeLay_BIa-QZ1.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3212 qbittorrent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3212 qbittorrent.exe Token: SeIncBasePriorityPrivilege 3212 qbittorrent.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1468 RapeLay_BIa-QZ1.tmp 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe 3212 qbittorrent.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4240 wrote to memory of 1468 4240 RapeLay_BIa-QZ1.exe 79 PID 4240 wrote to memory of 1468 4240 RapeLay_BIa-QZ1.exe 79 PID 4240 wrote to memory of 1468 4240 RapeLay_BIa-QZ1.exe 79 PID 1468 wrote to memory of 2488 1468 RapeLay_BIa-QZ1.tmp 80 PID 1468 wrote to memory of 2488 1468 RapeLay_BIa-QZ1.tmp 80 PID 1468 wrote to memory of 2488 1468 RapeLay_BIa-QZ1.tmp 80 PID 1468 wrote to memory of 3212 1468 RapeLay_BIa-QZ1.tmp 82 PID 1468 wrote to memory of 3212 1468 RapeLay_BIa-QZ1.tmp 82 PID 1468 wrote to memory of 3212 1468 RapeLay_BIa-QZ1.tmp 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe"C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\is-K7RJ3.tmp\RapeLay_BIa-QZ1.tmp"C:\Users\Admin\AppData\Local\Temp\is-K7RJ3.tmp\RapeLay_BIa-QZ1.tmp" /SL5="$602AE,13566766,780800,C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe"2⤵
- Checks for any installed AV software in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\netsh.exe"netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe "qBittorrent" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe"C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe" magnet:?xt=urn:btih:14FCB2E55188541ED55ACF6D89C2800F8033C1873⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3212
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5b3a9a687108aa8afed729061f8381aba
SHA19b415d9c128a08f62c3aa9ba580d39256711519a
SHA256194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb
SHA51214d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4
-
Filesize
74KB
MD5cd09f361286d1ad2622ba8a57b7613bd
SHA14cd3e5d4063b3517a950b9d030841f51f3c5f1b1
SHA256b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8
SHA512f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff
-
Filesize
33KB
MD5db6c259cd7b58f2f7a3cca0c38834d0e
SHA1046fd119fe163298324ddcd47df62fa8abcae169
SHA256494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2
SHA512a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb
-
Filesize
22.8MB
MD522a34900ada67ead7e634eb693bd3095
SHA12913c78bcaaa6f4ee22b0977be72333d2077191d
SHA2563cec1e40e8116a35aac6df3da0356864e5d14bc7687c502c7936ee9b7c1b9c58
SHA51288d90646f047f86adf3d9fc5c04d97649b0e01bac3c973b2477bb0e9a02e97f56665b7ede1800b68edd87115aed6559412c48a79942a8c2a656dfae519e2c36f
-
Filesize
2.0MB
MD559d3c3a9180ba792ae2dad18b6903cde
SHA1c8cd105d3a0e99a54d1d16f0d1f60000fa3dca8a
SHA256dd01edbd4368ef227693723c5e427a48b264cb57bbd07d81210d6e633e0b1b2e
SHA512d6b6358e5108654931fcb3b7920df65c4ae65d48f9ea012c3f821bb571f821e815d86feab85cd55a8ce767f2f7342a512e55d03ee4041ac0baf4ff13ad238699
-
Filesize
2.9MB
MD567bcdca0e7e60025269d8c14094badce
SHA13b17a191a5f8e27a6741b64cc58c536cc5ee132a
SHA256c784f3a8cdbd73e28881289b1547225264b55a5388c59eb8ab8a5e7c49260a41
SHA512df1c96c9ce92d3f0026ee64e969687b50aac8aa2d491e4308abb3fedca914be935cad161e01f1bed51bb4d18580551f2f885660cde33c922016166fd799947db
-
Filesize
1KB
MD59caf1069bd294ab1cf546e591b6d044b
SHA1d2a2933b80f69075dc561a1bf292e6bda025e7e2
SHA256dcdafa38d1058f0a8dfcb69aefd4ceb13f9ee1881d5e56a0fd5e8ea651c488e6
SHA512df39e41529429a2071ce6d01c18c2b9f3e6d238a27eaf5b88c3c9df9a7eb8f6f2124d6ebcbb7ec6aad2ddb7a92d79a1a6937db546f25dd196e23dbf360a25cfa
-
Filesize
4B
MD55b76b0eef9af8a2300673e0553f609f9
SHA10b56d40c0630a74abec5398e01c6cd83263feddc
SHA256d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817
SHA512cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d