modiloader | 713bf00309fc31dcae6d0bf9fa75ad659299701a2ca9b5dd8f6b6f048fa057e4

General

Target

902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
Size

246KB
MD5

902985d25a3a47bafe3e30d6feada3d7
SHA1

c075bba53188ec6d11f1ca3b1f8cbae4893f6801
SHA256

713bf00309fc31dcae6d0bf9fa75ad659299701a2ca9b5dd8f6b6f048fa057e4
SHA512

60a57930249b5b89650676c0d8950c8cad43a487ff3aee8ba01e0e0d5856fe46865b324525e8e5c5faf627be8a057d02df14a25420558b1bc2f28f3440bbfa87
SSDEEP

6144:H3N7ORvl3p1TT+UogjT+P8pAhmOT8HbWYStr15qCePoofg2pum:XB23p4gXtpAhaHitr15Xm/Npn

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2748 mshta.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2748	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 49 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-8-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-12-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-13-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-10-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-6-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-4-0x0000000000400000-0x000000000043B000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-14-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-15-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-17-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-18-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-16-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-19-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-20-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2
behavioral1/memory/2780-27-0x0000000006190000-0x0000000006268000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-28-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-31-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2780-30-0x0000000006190000-0x0000000006268000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-33-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-42-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-39-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-53-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-52-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-51-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-50-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-54-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-63-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-64-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-62-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-61-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-60-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-71-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-59-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-49-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-48-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-47-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-46-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-45-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-44-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-43-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-41-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-40-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-38-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-37-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-36-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/1028-72-0x00000000000D0000-0x0000000000214000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-35-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-34-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-32-0x0000000000180000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-73-0x0000000001C80000-0x0000000001D58000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2580 regsvr32.exe
Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c25a55.lnk regsvr32.exe

pid	process
2580	regsvr32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c25a55.lnk	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:i0JV2Nb=\"uZnsswx\";I82y=new%20ActiveXObject(\"WScript.Shell\");x9PsVV4A=\"NS\";Pkh2j=I82y.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\hxuejrj\\\\ggldjbnfg\");OJnf5=\"FgkXOed\";eval(Pkh2j);o5FRygb=\"TS\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:oWaY7w=\"hFAw\";i1c8=new%20ActiveXObject(\"WScript.Shell\");gUfmP6Cs=\"4sb7Lxp\";d9PZL=i1c8.RegRead(\"HKCU\\\\software\\\\hxuejrj\\\\ggldjbnfg\");b5jrfjn=\"s2y\";eval(d9PZL);IOX6CZfi=\"tahUVJq\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\cac63c\\bdcf8f.lnk\""	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2040 set thread context of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2780 set thread context of 2580	2780	powershell.exe	regsvr32.exe
PID 2580 set thread context of 1028	2580	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\6921c0\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\6921c0\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\6921c0\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:yh2yf8=\"T1y\";JJ68=new ActiveXObject(\"WScript.Shell\");C39hGXCw=\"JfqDY\";Ow64xS=JJ68.RegRead(\"HKCU\\\\software\\\\hxuejrj\\\\ggldjbnfg\");B1wXKT2=\"W3V\";eval(Ow64xS);IMbqx8of=\"Yr\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.26a6f49	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.26a6f49\ = "6921c0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\6921c0	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\6921c0\shell	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

2780 powershell.exe
2580 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2780 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2040 wrote to memory of 2036	2040	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe	902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
PID 2656 wrote to memory of 2780	2656	mshta.exe	powershell.exe
PID 2656 wrote to memory of 2780	2656	mshta.exe	powershell.exe
PID 2656 wrote to memory of 2780	2656	mshta.exe	powershell.exe
PID 2656 wrote to memory of 2780	2656	mshta.exe	powershell.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2780 wrote to memory of 2580	2780	powershell.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 1028	2580	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
2⤵
PID:2036

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:IoscX3J6="cDHV8Sss";d2R=new%20ActiveXObject("WScript.Shell");V6XeN8z="4E4y7WV8";h8yzr=d2R.RegRead("HKCU\\software\\J0T1FYW\\IwjTvk0");rSM0L="ZNMeRHi";eval(h8yzr);Qg5uhEp="CLbu3";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hqeodgyp
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
4⤵
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

4

T1012

Virtualization/Sandbox Evasion

3

T1497

File and Directory Discovery

1

T1083

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cac63c\b9feef.26a6f49
Filesize
20KB

MD5
33403349bf351cbfd4b7835a16c15ca2

SHA1
a5fad00e8ddb68e0861895cb1c847bff64597e02

SHA256
e9ad833f7b0b9ceb5f23a811e5b6d76395fb45c46a3d54d21e603f75f2a39f39

SHA512
54daae4c14fbc9bcdb4c9449c834e4794f421f1606b1a30ba1ec147865637bc9dd00f0d353d739a7ac4d88d0d1c349001078a465bac719f809913332c2a41200

Download Submit
C:\Users\Admin\AppData\Local\cac63c\bdcf8f.lnk
Filesize
877B

MD5
214d54233a163eda0ddf40527c95d807

SHA1
81235c0b7628becb06ca6956fc09b126ed7afe6b

SHA256
ee77abccbb2882cf72dbc9339be94f208f24f0549fddb8ce41912f2be8cd5d47

SHA512
3c5c60253892bd70dcf912d98a07ef988d63fac21e584a63486bfe528ca2fc2e6b2700c7f5649d81acdec4522965915f022b482f9e7601d2c1c4fe80df114b22

Download Submit
C:\Users\Admin\AppData\Local\cac63c\cbd015.bat
Filesize
61B

MD5
c8a437d8dffa3b0e7b3b6e869cf95016

SHA1
4c3ad562e64a3f511d632859d9c5090be4f44750

SHA256
7f3ca854a12deb01ad01e47e55eb09558f1a72f1c066410d459703746c660a39

SHA512
8276987a0546d8f288cabb4dbcd54ed7332182b0cb982e997a5806e731bbfc8e60deea297db5c69f1884b77baf4ca0b55f738136187926b8bd4ba8196c34f076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c25a55.lnk
Filesize
987B

MD5
8748084a1a9ce37820d2bc39a3131649

SHA1
c1669ccf50a4dd205a93ad4a5ee37709f3a270f5

SHA256
c068f2f1e1470796b434eb8ffd9b1c900e7ecbc365645ef2e6beb57749e3dbf7

SHA512
405f499cdaa2ff6b5f1b0899ac97fe038b43a42961e4e83c5a739d537c0dc5f4ac595def909b4c34885a1e6c2f103524c3b0caeb337a3e316a1d8a9ad1667b6f

Download Submit
C:\Users\Admin\AppData\Roaming\ca6143\7c2c65.26a6f49
Filesize
33KB

MD5
b094330b2a78696a9343ea401264b7cc

SHA1
0ccfe1b89279ee69239ffc65f79465d83f00bb19

SHA256
11bd74f20af5da04914764b3a670cb666f6bd67dee5c0002c598fd729e4b92c8

SHA512
373c7bfce3fc5f24e98dcc218c7f6ffe7423cb2b279c6aa179a506cdbcff68bc1e9db49500aa3bc1169ef526617ce82871ba198446b58ecf2f54b76e99ae49aa

Download Submit
memory/1028-72-0x00000000000D0000-0x0000000000214000-memory.dmp

Filesize
1.3MB

Download
memory/2036-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-19-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-14-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-15-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-17-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-18-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-16-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-20-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-6-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-10-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-73-0x0000000001C80000-0x0000000001D58000-memory.dmp

Filesize
864KB

Download
memory/2036-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2580-62-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-43-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-50-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-54-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-63-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-64-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-52-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-61-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-60-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-71-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-59-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-49-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-48-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-47-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-46-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-45-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-44-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-51-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-41-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-40-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-38-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-37-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-36-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-28-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-35-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-34-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-32-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-53-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-39-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-42-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-33-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2580-31-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2780-27-0x0000000006190000-0x0000000006268000-memory.dmp

Filesize
864KB

Download
memory/2780-30-0x0000000006190000-0x0000000006268000-memory.dmp

Filesize
864KB

Download
memory/2780-29-0x0000000002DC0000-0x0000000004DC0000-memory.dmp

Filesize
32.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads