modiloader | a6e5730f0bedf158a97f59955ac607c227cd7c3acbb1ad9c6f92c553c71d2283

General

Target

Envision Digital.exe
Size

996KB
MD5

e52cf82f435602239c33092829fcf8f1
SHA1

1469f0e7c2129ba105f6bb50b9dcde23d67443ad
SHA256

a6e5730f0bedf158a97f59955ac607c227cd7c3acbb1ad9c6f92c553c71d2283
SHA512

93e1f9e9b890861ba795dc5defb19b1c1fb993940277ad8347c9a3a1d89ff6292a8f9780365d45ecd2a5c0104a8f7b96345a3496c7c2acabf3cfcb893722b4e6

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/884-57-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-59-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-60-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-61-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-62-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-63-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-64-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-65-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-66-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-67-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-68-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-69-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-72-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-71-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-70-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-73-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-74-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-75-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-76-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-77-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-78-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-79-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-98-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-97-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-95-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-99-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-102-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-103-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-105-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-104-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-106-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-107-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-108-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-109-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-110-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-111-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-112-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-113-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-114-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-115-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-116-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-117-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-118-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-119-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-120-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-121-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-122-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-123-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-124-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-125-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-126-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-127-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2
behavioral1/memory/884-128-0x0000000004E50000-0x0000000004F46000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Envision Digital.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wiupbu = "C:\\Users\\Public\\Libraries\\ubpuiW.url"	Envision Digital.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

976 1540 WerFault.exe cmd.exe

pid	pid_target	process	target process
976	1540	WerFault.exe	cmd.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Envision Digital.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Envision Digital.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Envision Digital.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Envision Digital.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Envision Digital.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Envision Digital.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Envision Digital.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeEnvision Digital.exe

pid process

1516 powershell.exe
884 Envision Digital.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1516 powershell.exe

pid	process
1516	powershell.exe
884	Envision Digital.exe

description	pid	process
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Envision Digital.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 884 wrote to memory of 560	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 560	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 560	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 560	884	Envision Digital.exe	cmd.exe
PID 560 wrote to memory of 960	560	cmd.exe	cmd.exe
PID 560 wrote to memory of 960	560	cmd.exe	cmd.exe
PID 560 wrote to memory of 960	560	cmd.exe	cmd.exe
PID 560 wrote to memory of 960	560	cmd.exe	cmd.exe
PID 960 wrote to memory of 2028	960	cmd.exe	net.exe
PID 960 wrote to memory of 2028	960	cmd.exe	net.exe
PID 960 wrote to memory of 2028	960	cmd.exe	net.exe
PID 960 wrote to memory of 2028	960	cmd.exe	net.exe
PID 2028 wrote to memory of 812	2028	net.exe	net1.exe
PID 2028 wrote to memory of 812	2028	net.exe	net1.exe
PID 2028 wrote to memory of 812	2028	net.exe	net1.exe
PID 2028 wrote to memory of 812	2028	net.exe	net1.exe
PID 960 wrote to memory of 1516	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 1516	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 1516	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 1516	960	cmd.exe	powershell.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 884 wrote to memory of 1540	884	Envision Digital.exe	cmd.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	WerFault.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	WerFault.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	WerFault.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Envision Digital.exe
"C:\Users\Admin\AppData\Local\Temp\Envision Digital.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\Wiupbut.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\WiupbuO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 164
3⤵
- Program crash
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\WiupbuO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Wiupbut.bat
Filesize
55B

MD5
7a7f354e24916d4e8d330fce027c58f8

SHA1
b3e2520fab475a4aa8e8c3714e2bfb75734f52c2

SHA256
ca09c539ffa0f07d4b96f76cce849521f6ce6b267a23f693d92f97da8f632341

SHA512
40ace6566fff2b435067a4044a2c83424d7a40074804ca719831f30a6c7234b036cd5f5ee4b1cda84e729fb74ac774d3495fe6ac0d92ca46625da226557e31d5

Download Submit
memory/560-80-0x0000000000000000-mapping.dmp

Download
memory/812-85-0x0000000000000000-mapping.dmp

Download
memory/884-98-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-126-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-64-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-65-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-66-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-67-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-68-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-69-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-72-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-71-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-70-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-73-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-74-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-95-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-76-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-77-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-78-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-79-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-62-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-61-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-128-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-60-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-127-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-59-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-57-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-97-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-125-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-124-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-92-0x0000000050590000-0x0000000050618000-memory.dmp

Filesize
544KB

Download
memory/884-123-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/884-63-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-75-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-122-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-99-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-121-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-102-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-103-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-105-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-104-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-106-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-107-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-108-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-109-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-110-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-111-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-112-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-113-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-114-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-115-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-116-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-117-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-118-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-119-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/884-120-0x0000000004E50000-0x0000000004F46000-memory.dmp

Filesize
984KB

Download
memory/960-82-0x0000000000000000-mapping.dmp

Download
memory/976-100-0x0000000000000000-mapping.dmp

Download
memory/1516-89-0x0000000072E30000-0x00000000733DB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-87-0x0000000000000000-mapping.dmp

Download
memory/1540-101-0x0000000050590000-0x0000000050618000-memory.dmp

Filesize
544KB

Download
memory/1540-93-0x0000000050590000-0x0000000050618000-memory.dmp

Filesize
544KB

Download
memory/1540-90-0x0000000000000000-mapping.dmp

Download
memory/2028-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads