Overview
overview
10Static
static
33f6f1b87fc...18.exe
windows7-x64
103f6f1b87fc...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31.exe
windows7-x64
101.exe
windows10-2004-x64
10Setup1.exe
windows7-x64
9Setup1.exe
windows10-2004-x64
9Setup1.vbs
windows7-x64
8Setup1.vbs
windows10-2004-x64
8Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Setup1.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
Setup1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
Setup1.vbs
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Setup1.vbs
Resource
win10v2004-20240426-en
General
-
Target
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
-
Size
4.0MB
-
MD5
3f6f1b87fc7750df9421200e9e0aa070
-
SHA1
11cf49ecbb3b8ba5d76444cefd041435c95bfc47
-
SHA256
3d0c53b85d752355b9185c5d43a96dc028f2a56e73fb3358dc6a7f0882329e4e
-
SHA512
9a4e11817771ab6cbb17d2a21857f1f210eafb122df5fd55ae963595aae2263fcd8b6cbfa855f05e26b0e1a2a6f8ca751452cdc9bcdcee0fb44eed6f9763dbc5
-
SSDEEP
98304:XoUyCR9OdQA9BKQ+SQQUH80pvgsRGVdgTsPC:Xo1H+A9BLM80dwrb6
Malware Config
Extracted
cryptbot
tuytee16.top
moriiikk08.top
Signatures
-
CryptBot payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-353-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-355-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-372-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-397-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-399-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-402-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-404-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-406-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-408-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-410-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-413-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-415-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-417-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-420-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot behavioral1/memory/1644-422-0x0000000000ED0000-0x0000000001400000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Setup1.exe1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Blocklisted process makes network request 5 IoCs
Processes:
CScript.exeflow pid process 4 2636 CScript.exe 7 2636 CScript.exe 9 2636 CScript.exe 11 2636 CScript.exe 13 2636 CScript.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup1.exe1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exeSetup1.exepid process 1644 1.exe 2504 Setup1.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Setup1.exe1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine Setup1.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine 1.exe -
Loads dropped DLL 9 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe1.exeSetup1.exepid process 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1644 1.exe 1644 1.exe 1644 1.exe 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 2504 Setup1.exe 2504 Setup1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Setup1.exe1.exepid process 2504 Setup1.exe 1644 1.exe -
Drops file in Program Files directory 3 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Mader\lase\1.exe 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe File created C:\Program Files (x86)\Mader\lase\Setup1.exe 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe File created C:\Program Files (x86)\Mader\lase\Setup1.vbs 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exeSetup1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup1.exe -
Processes:
CScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 CScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 CScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 CScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 CScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Setup1.exe1.exepid process 2504 Setup1.exe 1644 1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CScript.exedescription pid process Token: SeRestorePrivilege 2636 CScript.exe Token: SeBackupPrivilege 2636 CScript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 1644 1.exe 1644 1.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exeSetup1.exedescription pid process target process PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 2636 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 1644 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 1652 wrote to memory of 2504 1652 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 2992 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe PID 2504 wrote to memory of 1520 2504 Setup1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Mader\lase\Setup1.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Mader\lase\1.exe"C:\Program Files (x86)\Mader\lase\1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Mader\lase\Setup1.exe"C:\Program Files (x86)\Mader\lase\Setup1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\vnsrievgotrk.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ymsawtldtf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mader\lase\Setup1.vbsFilesize
126B
MD53ffc26d751f79fb801ecbb715885e852
SHA1f54da1552aabfbf68ef07fa98234a8a1ff789a16
SHA2568816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6
SHA51208e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59bca7d543cc344f541d8403690c9bc2f
SHA16b91115e62e00a19e3a61ce8fc192b2ce06cf5c0
SHA256877e11d71f2bd36b233869a0275e3f0e67e7437fa438043f413d301db8e3531c
SHA512e9a0ee887c13dd7ba5e52e05a8865f0137d6aacc9c800d7401cdbb09aebf95bff2e005e338dfe58e0303a5122f5d29a60277cfa2f41a6212aded4c65827c41ea
-
C:\Users\Admin\AppData\Local\Temp\Cab236A.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\RGQSYrry3lET.zipFilesize
31KB
MD5f5275fa3ca669ff78d3edd3343feb035
SHA1164bf144c3bb507bb6ac247e00c026bb2221f567
SHA256d043e974ed0872e4c6a865189d259499e08c6fb3b8246857f90d205374785206
SHA51292d8c6c31e44f47d8c523b60143a820af69ebe60d3ff64daf99d1391d9d62b1b1f3c194f4c9301411803d793ca66f161d3690ec31e99218397da5211357c664f
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Information.txtFilesize
2KB
MD52032da333f0f4cfc1c06df7194ef5fbd
SHA1df7cc8ea6a2419919f33dd098363be96a77d87da
SHA2568f3b33430f99f46fba12d4d69ee8dc78a491a5763cb832a5e7a63a29095383d7
SHA5122e2a63426df948c5e03aa4610c0d420982817557910f02661e8f0fb030d4c5df42a4b6a5c3c33db2227f91c23556eaa7d75dbd332500b872ee9cf5aafa75c649
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Information.txtFilesize
4KB
MD58c5838f63ed2d3ad22dd552a4dd57390
SHA11efb3598eeca6fb7e0ba53724c0ca76d2c6eb215
SHA2567420a9f2221de8104675abf58aa77aa88e9ccfbf17bed2f3b36aa4097cbcc1eb
SHA512a3f2e8bbb12171bc4619451a6871efc27c7291cdcae81df37c1054942ed4ba8184f86fa9ffa4228fbb47ea62af6a48e0eb2c58310b2c6230ccc7a09bec2f075c
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Screen_Desktop.jpegFilesize
39KB
MD581e35b428d500d64fd38eb806e9ff619
SHA1fd1d0833f0c61848651d5bbfc7ce8cf3ce469582
SHA256ed90919b0af9820c9a3222092dcd3750841dc5e6669478dccff04f84525d4025
SHA51291231dc9241927ad8429b2b86453597d6d46225a028f96a4d98ffac946b890e86fc41ff680d9a0374d6c4136c36d1c2e16203360dc8e244d07c2519921d3bfb4
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txtFilesize
1KB
MD58157eea54200f8e303337be47c8ba957
SHA1581aec4261bb1fc937d840e758b0226c8a60023d
SHA2568350612a8736a3f3d23ed631a77ff4aadc1ac6b9c1520eb88d3756f290bebb3d
SHA51262b5acd1a96d1501b22ce6589671697234e404e70e068c4c9eceda66a95ef4d85bbded4960bc0241a4850b3ad46e732e1ddb6e65e33085ffd362ef1f8880933b
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txtFilesize
3KB
MD5a9a69f59fe2e21305c1d8dd2636f61a6
SHA113f901d77432b58a9ea67fbcdaa2e84c0a25e7e5
SHA2562d9b5b41811a0f4c7555863c18963e25d13394e45c3864f4550f62b6f318c169
SHA512778d21d161c5b279d7fbc75c5a7b31696c94d3cae94468c669334f4930156b84e333b22b00457b4464c883e5146197f87aca4307c8a1623255f04874a024d3cd
-
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txtFilesize
5KB
MD59235c78b58240d412f845dc6b75a4570
SHA1f33910daf56c611d0aa3a0892d6312e069d7fdd1
SHA256574cd943cb312d7e3727fdd525a0333541c483eca6f09ca1a37369c344e92ae6
SHA512d5c762eae518cf307a1b4680d752785abe019344f921fc0a3d78ec8490972d5d8b05531c4b3384a23461026388e7fa3e4c5cfe138111ae110c1142bcc557c4a1
-
C:\Users\Admin\AppData\Local\Temp\Tar249A.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Program Files (x86)\Mader\lase\1.exeFilesize
2.2MB
MD54ae318b79250c2969d663dee668f3a27
SHA157e5cd1eef257683efc4f82c369739621d8299ce
SHA256753af3a9e8f98e03f71c700d6913933962a3510ffefb97cd57ccbc20991a98a4
SHA512a925d50a05e423533a0aec8f552af0e6f55dd3c116bfbbd6ac49ae6c3dd6acd0641ca3dca70499f22a54860c2374f26c2a807f380475290220f74e53c9bf8aab
-
\Program Files (x86)\Mader\lase\Setup1.exeFilesize
1.9MB
MD5e79cf3b82c9bc3fd37c54b29d5986c15
SHA1a96834689e3454ec7c3bee9872da85ddc900bc0d
SHA2568972be1f2eb134a22c4d46fad916db5b13c5871dc15a7799246542b6de42170f
SHA5121a4786d5b258e7bf450b66bedd6c63e8cd162570965449c87224f21a4c114cc0ac880b907787cce184e9374caef819685ae7dea7d7a43a200866f73e1d11edc7
-
\Users\Admin\AppData\Local\Temp\nsy20BB.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Local\Temp\nsy20BB.tmp\nsExec.dllFilesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
memory/1644-399-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-372-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-120-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-127-0x0000000000990000-0x0000000000EC0000-memory.dmpFilesize
5.2MB
-
memory/1644-422-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-420-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-134-0x0000000000990000-0x0000000000EC0000-memory.dmpFilesize
5.2MB
-
memory/1644-406-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-353-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-355-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-356-0x0000000000990000-0x0000000000EC0000-memory.dmpFilesize
5.2MB
-
memory/1644-408-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-417-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-415-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-413-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-410-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-397-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-131-0x0000000000990000-0x0000000000EC0000-memory.dmpFilesize
5.2MB
-
memory/1644-402-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1644-404-0x0000000000ED0000-0x0000000001400000-memory.dmpFilesize
5.2MB
-
memory/1652-112-0x0000000003030000-0x0000000003560000-memory.dmpFilesize
5.2MB
-
memory/2504-354-0x0000000000850000-0x0000000000CDE000-memory.dmpFilesize
4.6MB
-
memory/2504-135-0x00000000010D0000-0x000000000155E000-memory.dmpFilesize
4.6MB
-
memory/2504-375-0x0000000000850000-0x0000000000CDE000-memory.dmpFilesize
4.6MB
-
memory/2504-374-0x00000000010D0000-0x000000000155E000-memory.dmpFilesize
4.6MB
-
memory/2504-373-0x0000000000850000-0x0000000000CDE000-memory.dmpFilesize
4.6MB
-
memory/2504-133-0x0000000000850000-0x0000000000CDE000-memory.dmpFilesize
4.6MB
-
memory/2504-132-0x00000000010D0000-0x000000000155E000-memory.dmpFilesize
4.6MB