f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669

Analysis

max time kernel
360s
max time network
368s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/08/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RapeLay_BIa-QZ1.exe
Size

13.8MB
MD5

f3f16a12cdaf4e3fe51bece5dff8970f
SHA1

e4bb36e12d8f566617f940c32764870e052a89b7
SHA256

f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
SHA512

5b5837ee05f3a16c645613c5e0462b6d81d6e1dc183156b790e42cd8348fa6b391bdc84de43131cba4c568aba2be308d6e3020c829df0f11d44fd923f8cd827f
SSDEEP

393216:MBBTeN30LpEiSCC9XSpIFwah3RuINhkU9he:ktwkLps9Xhrhhuahk7

Score

6^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\AVAST Software\Avast	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\AVG\AV\Dir	RapeLay_BIa-QZ1.tmp

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	qbittorrent.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2488	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1468	RapeLay_BIa-QZ1.tmp
3212	qbittorrent.exe

Loads dropped DLL 1 IoCs

pid	Process
1468	RapeLay_BIa-QZ1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RapeLay_BIa-QZ1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RapeLay_BIa-QZ1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbittorrent.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RapeLay_BIa-QZ1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	RapeLay_BIa-QZ1.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3212	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp
1468	RapeLay_BIa-QZ1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3212	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3212	qbittorrent.exe
Token: SeIncBasePriorityPrivilege	3212	qbittorrent.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1468	RapeLay_BIa-QZ1.tmp
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe
3212	qbittorrent.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1468	4240	RapeLay_BIa-QZ1.exe	79
PID 4240 wrote to memory of 1468	4240	RapeLay_BIa-QZ1.exe	79
PID 4240 wrote to memory of 1468	4240	RapeLay_BIa-QZ1.exe	79
PID 1468 wrote to memory of 2488	1468	RapeLay_BIa-QZ1.tmp	80
PID 1468 wrote to memory of 2488	1468	RapeLay_BIa-QZ1.tmp	80
PID 1468 wrote to memory of 2488	1468	RapeLay_BIa-QZ1.tmp	80
PID 1468 wrote to memory of 3212	1468	RapeLay_BIa-QZ1.tmp	82
PID 1468 wrote to memory of 3212	1468	RapeLay_BIa-QZ1.tmp	82
PID 1468 wrote to memory of 3212	1468	RapeLay_BIa-QZ1.tmp	82

C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe
"C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\is-K7RJ3.tmp\RapeLay_BIa-QZ1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K7RJ3.tmp\RapeLay_BIa-QZ1.tmp" /SL5="$602AE,13566766,780800,C:\Users\Admin\AppData\Local\Temp\RapeLay_BIa-QZ1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe "qBittorrent" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe" magnet:?xt=urn:btih:14FCB2E55188541ED55ACF6D89C2800F8033C187
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\Opera_new.png

Filesize
49KB

MD5
b3a9a687108aa8afed729061f8381aba

SHA1
9b415d9c128a08f62c3aa9ba580d39256711519a

SHA256
194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

SHA512
14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\WebAdvisor.png

Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\qbittorrent.exe

Filesize
22.8MB

MD5
22a34900ada67ead7e634eb693bd3095

SHA1
2913c78bcaaa6f4ee22b0977be72333d2077191d

SHA256
3cec1e40e8116a35aac6df3da0356864e5d14bc7687c502c7936ee9b7c1b9c58

SHA512
88d90646f047f86adf3d9fc5c04d97649b0e01bac3c973b2477bb0e9a02e97f56665b7ede1800b68edd87115aed6559412c48a79942a8c2a656dfae519e2c36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FN290.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
59d3c3a9180ba792ae2dad18b6903cde

SHA1
c8cd105d3a0e99a54d1d16f0d1f60000fa3dca8a

SHA256
dd01edbd4368ef227693723c5e427a48b264cb57bbd07d81210d6e633e0b1b2e

SHA512
d6b6358e5108654931fcb3b7920df65c4ae65d48f9ea012c3f821bb571f821e815d86feab85cd55a8ce767f2f7342a512e55d03ee4041ac0baf4ff13ad238699

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K7RJ3.tmp\RapeLay_BIa-QZ1.tmp

Filesize
2.9MB

MD5
67bcdca0e7e60025269d8c14094badce

SHA1
3b17a191a5f8e27a6741b64cc58c536cc5ee132a

SHA256
c784f3a8cdbd73e28881289b1547225264b55a5388c59eb8ab8a5e7c49260a41

SHA512
df1c96c9ce92d3f0026ee64e969687b50aac8aa2d491e4308abb3fedca914be935cad161e01f1bed51bb4d18580551f2f885660cde33c922016166fd799947db

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini

Filesize
1KB

MD5
9caf1069bd294ab1cf546e591b6d044b

SHA1
d2a2933b80f69075dc561a1bf292e6bda025e7e2

SHA256
dcdafa38d1058f0a8dfcb69aefd4ceb13f9ee1881d5e56a0fd5e8ea651c488e6

SHA512
df39e41529429a2071ce6d01c18c2b9f3e6d238a27eaf5b88c3c9df9a7eb8f6f2124d6ebcbb7ec6aad2ddb7a92d79a1a6937db546f25dd196e23dbf360a25cfa

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
memory/1468-35-0x0000000004410000-0x0000000004550000-memory.dmp

Filesize
1.2MB

Download
memory/1468-45-0x0000000004410000-0x0000000004550000-memory.dmp

Filesize
1.2MB

Download
memory/1468-31-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-28-0x0000000004410000-0x0000000004550000-memory.dmp

Filesize
1.2MB

Download
memory/1468-6-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-36-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-24-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-40-0x0000000004410000-0x0000000004550000-memory.dmp

Filesize
1.2MB

Download
memory/1468-41-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-29-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-46-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-55-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1468-52-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4240-23-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4240-57-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4240-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4240-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download