Analysis
-
max time kernel
284s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 18:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10v2004-20250314-en
amadeyhealerlummastealcvidar092155928af183c2a2807a3c0526e8c0c9369dtrumpcredential_accessdefense_evasiondiscoverydropperexecutionexploitpersistencespywarestealertrojan
windows10-2004-x64
58 signatures
900 seconds
Behavioral task
behavioral2
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
900 seconds
Behavioral task
behavioral3
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10v2004-20250314-en
amadeyhealerlummastealcvidar09215511373d37b176b52c098f600f61cdf190trumpbootkitcredential_accessdefense_evasiondiscoverydropperevasionexecutionpersistenceprivilege_escalationspywarestealertrojan
windows10-2004-x64
75 signatures
900 seconds
Behavioral task
behavioral4
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10ltsc2021-20250314-en
amadeyhealerlummastealc092155trumpcredential_accessdefense_evasiondiscoverydropperexecutionexploitpersistencespywarestealertrojan
windows10-ltsc_2021-x64
49 signatures
900 seconds
Behavioral task
behavioral5
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win11-20250313-en
amadeyhealerlummastealc092155trumpbootkitcredential_accessdefense_evasiondiscoverydropperexecutionexploitpersistencespywarestealertrojan
windows11-21h2-x64
56 signatures
900 seconds
Behavioral task
behavioral6
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
macos-20241101-en
macos-10.15-amd64
1 signatures
900 seconds
General
-
Target
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
-
Size
1.8MB
-
MD5
8480b3439f6f2fe71ff8136c8475a0e1
-
SHA1
8f787c424f7a1ac854d26b723008ea29d9f1b1aa
-
SHA256
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
-
SHA512
2b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958
-
SSDEEP
49152:fyPxPnQHIr7nIXvPvwrARGSLEUBLEffrLrr90+:6PxfQoTIXvPYlSLEWgXrLrr
Malware Config
Extracted
Family
amadey
Version
5.21
Botnet
092155
C2
http://176.113.115.6
Attributes
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
rc4.plain
Extracted
Family
lumma
C2
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
Signatures
-
Amadey family
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74957b3341.exe -
Downloads MZ/PE file 3 IoCs
flow pid Process 5 2852 rapes.exe 17 2852 rapes.exe 18 2852 rapes.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74957b3341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74957b3341.exe -
Executes dropped EXE 4 IoCs
pid Process 2852 rapes.exe 940 UYpk7xI.exe 2004 jokererer.exe 580 74957b3341.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 74957b3341.exe -
Loads dropped DLL 16 IoCs
pid Process 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 2852 rapes.exe 2852 rapes.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2852 rapes.exe 2852 rapes.exe 916 WerFault.exe 916 WerFault.exe 916 WerFault.exe 916 WerFault.exe 2248 taskmgr.exe 2852 rapes.exe 2852 rapes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 2852 rapes.exe 580 74957b3341.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74957b3341.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rapes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rapes.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 rapes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rapes.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 2852 rapes.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 580 74957b3341.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 580 74957b3341.exe 580 74957b3341.exe 580 74957b3341.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2248 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2248 taskmgr.exe Token: SeSecurityPrivilege 2248 taskmgr.exe Token: SeTakeOwnershipPrivilege 2248 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2852 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 31 PID 2052 wrote to memory of 2852 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 31 PID 2052 wrote to memory of 2852 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 31 PID 2052 wrote to memory of 2852 2052 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 31 PID 2852 wrote to memory of 940 2852 rapes.exe 33 PID 2852 wrote to memory of 940 2852 rapes.exe 33 PID 2852 wrote to memory of 940 2852 rapes.exe 33 PID 2852 wrote to memory of 940 2852 rapes.exe 33 PID 940 wrote to memory of 2980 940 UYpk7xI.exe 34 PID 940 wrote to memory of 2980 940 UYpk7xI.exe 34 PID 940 wrote to memory of 2980 940 UYpk7xI.exe 34 PID 2852 wrote to memory of 2004 2852 rapes.exe 36 PID 2852 wrote to memory of 2004 2852 rapes.exe 36 PID 2852 wrote to memory of 2004 2852 rapes.exe 36 PID 2852 wrote to memory of 2004 2852 rapes.exe 36 PID 2004 wrote to memory of 916 2004 jokererer.exe 37 PID 2004 wrote to memory of 916 2004 jokererer.exe 37 PID 2004 wrote to memory of 916 2004 jokererer.exe 37 PID 2852 wrote to memory of 580 2852 rapes.exe 38 PID 2852 wrote to memory of 580 2852 rapes.exe 38 PID 2852 wrote to memory of 580 2852 rapes.exe 38 PID 2852 wrote to memory of 580 2852 rapes.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 940 -s 444⤵
- Loads dropped DLL
PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2004 -s 284⤵
- Loads dropped DLL
PID:916
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361700101\74957b3341.exe"C:\Users\Admin\AppData\Local\Temp\10361700101\74957b3341.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:580
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
634KB
MD54e84cb2a5369e3407e1256773ae4ad15
SHA1ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5
SHA256110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590
SHA51296e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988
-
Filesize
712KB
MD5e714f21784ba313bf9b0ceb2c138895a
SHA1cabe70a2b37e02706d9118702e1692735a6c7b9a
SHA2568730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44
SHA512c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b
-
Filesize
1.8MB
MD5b8239424c867eb7092984f129e4d9532
SHA1e944db66ad5d4631b749ed78ed6020327fb9e551
SHA2567d4d7e11cc02766414332b4817c853ddc34624290e2e4b4a0bfea5e749c146f6
SHA512693cf806fb781fe53fdcd6b36d36a98841557cf440d5f2de52420cfea632cbc4d24cf0761d1a08107eb53c8c05743766db794ed1d93305540e583c90f2bd5e00
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
1.8MB
MD58480b3439f6f2fe71ff8136c8475a0e1
SHA18f787c424f7a1ac854d26b723008ea29d9f1b1aa
SHA25637700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
SHA5122b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958