modiloader | 28b0a9a43f3cc82d4015d27592d94c2a7d43c08d36f84be5bf676084231bdab2

Analysis

max time kernel
136s
max time network
129s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
Size

284KB
MD5

d47ee31bce4678978e94e49c04b7de98
SHA1

663f6a99f5e0f665bddbed86bf062d73c8f39ef1
SHA256

28b0a9a43f3cc82d4015d27592d94c2a7d43c08d36f84be5bf676084231bdab2
SHA512

d6cd7bee3d9bde1229dfd8cc0cf18845f0dda6677a9dd38eb47e1297471c1625faf6ba5df79668b9daf05f67268b373552ce80fcd66530bceb21972dbf8de9aa
SSDEEP

6144:970m1qamTV+yM9nhv4DhXcU7REPli8+/sScsPD51ZRO132oJltoz:mm10TV+y4nhv4lXcU4sMbd2oJlqz

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/1956-2-0x0000000000400000-0x0000000000567000-memory.dmp	modiloader_stage2
behavioral1/memory/2520-24-0x0000000000400000-0x0000000000567000-memory.dmp	modiloader_stage2
behavioral1/memory/2520-42-0x0000000000400000-0x0000000000567000-memory.dmp	modiloader_stage2
behavioral1/memory/1956-43-0x0000000000400000-0x0000000000567000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	AutoRun.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\S:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\V:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\A:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\N:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\Q:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\I:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\E:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\G:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\H:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\J:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\K:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\M:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\T:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\B:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\Z:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\Y:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\P:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\R:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\U:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\W:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\X:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened (read-only)	\??\L:	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File created	F:\AutoRun.inf	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File created	C:\AutoRun.inf	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_AutoRun.exe	AutoRun.exe
File opened for modification	C:\Windows\SysWOW64\_AutoRun.exe	AutoRun.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2260	2520	AutoRun.exe	32
PID 2520 set thread context of 2764	2520	AutoRun.exe	33

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\AutoRun.exe	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\AutoRun.exe	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoRun.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431964966"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A04FE31-6DE8-11EF-8EE4-42572FC766F9} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2520	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	31
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2260	2520	AutoRun.exe	32
PID 2520 wrote to memory of 2764	2520	AutoRun.exe	33
PID 2520 wrote to memory of 2764	2520	AutoRun.exe	33
PID 2520 wrote to memory of 2764	2520	AutoRun.exe	33
PID 2520 wrote to memory of 2764	2520	AutoRun.exe	33
PID 2520 wrote to memory of 2764	2520	AutoRun.exe	33
PID 1956 wrote to memory of 2152	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2152	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2152	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2152	1956	d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35
PID 2764 wrote to memory of 2816	2764	IEXPLORE.EXE	35

C:\Users\Admin\AppData\Local\Temp\d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d47ee31bce4678978e94e49c04b7de98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\AutoRun.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\AutoRun.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2260
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

Filesize
212B

MD5
51505919d97ec537c02b448adbc72011

SHA1
d5497c5743db1a795fd9a421680c013477fd05c6

SHA256
d4e21e05e735f382acdea5fab06cd31ead3925d813971d272c8e749e53fae9aa

SHA512
03f372c964eb6ddc859ccdd2c7066ff5461211577bea00ec6a85738fe33c5b515587938e16a8742634242ee1f8bbfa2e9d42a9a3ed52f89f5e4cd76e64a1709a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d70f67197b561696d59414fcfce57cc

SHA1
c156a44c089072333a548be46f38d4aed897680f

SHA256
bae972aa7d0035f1bb004ed6c890339dcff1d83035dcfdb307f1540b1f385809

SHA512
3c9a54f9ccaeb13a18f1b543f71d478bffd3812bf42c813e8dfe992a16c3a01bedab7533ee64a5b1904120eab96ec92bdeeff15a80401bd45e35a973cdaa7652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
946fcf4fd0695cd227b0b19221bba13a

SHA1
24dcd80a27e615e35516ee4a9ce423d1d9c6e515

SHA256
16ac4285f73ae01c257ee1c8df9d96775db8385e7aab528ca60cb22c4752a1e9

SHA512
72941af75a255940652035f4e52ee6dc8e1c04ad4cec8c3ea9b815939df4a213e5f7e9111ae6225fa967e43e0e1b0b755c7c67f77108ca27b9fa28e5abd3e18d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80d24b2cd787fa1e9d327b993bedc768

SHA1
0f14c72575bbd7c0790a8250541de6ecba9db9e0

SHA256
de37458126cc47c406a59dc632463ad0685f890c71a820c6d482bb01ca1d6d7a

SHA512
f80053b39abc884b4194fd636f1d297ffa4dcb2df755717f7cccbea1d181c5b5579727b59d8d27b26fa288becade7953c879aafc3efb8ea8391d236f15e9f508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa0ad32c0aa5db65b851e329b9812af8

SHA1
0219009750f6fd3a1b819810f2cb517a3808e095

SHA256
7d51b94839030582c152b53af06d068e9d9de2009751095493ae2fdab495951e

SHA512
7e1e0521dbb7e17b49802c42a148815b7b148d3f72cd70471d78d959c51f17c017980c3356112f6a944a1eb7726f7bdd66dfe74881555dde2bfb0ef9781bb9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9195b9b8255170159825f9f19c180c66

SHA1
f9f1d457149805501d9ef856ecbcb4cec9ed08d5

SHA256
89569006402f19f88dd73cabcdbfd50fe6443afc988ff2c9040efd5e2800b7d1

SHA512
8ac834f980e016b4f44280f568169d01e8c4c8213a9817185ad1dc3d4347f49b4d1fb7a8a0c4472d02a86342daac13f697ac74605b30fe1462b1914fad640922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9328d1e6edb10901e3c83221642e1e8

SHA1
3777eb9d7d6b604ff7531c8ac1c6345da2e98fa1

SHA256
774f4fdc09e79d69ea5c798d5a8f2a76d60a79ba24fbc8c80689344553def432

SHA512
b720178b83ac32cc5424623ceff382c2a6e9ed886d705c7c2500d55ca8340e84cee18cd2e27607e7d1b509b4123148de9aebba406bbdaed05e79f88d2bd0bce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1556752f9a49931539a64fd89269a57

SHA1
47cfb05a73ae71fb6938b20e89707303b3fedc82

SHA256
f0345644dfe285ec8bf3d44e57b3160224a822ccadd08fa908fb72cc139e87c9

SHA512
397a9c8728037bc54dcbafc1964aa8db299bcc3c408ec53c6d8c91777ff5c942311135927cfbe9a521cd0621d91005bc6ce7c0872f8079f90aab292d39220f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
494c0184b6b7858e0d31ff8545e26a21

SHA1
280a07e2a604662fe842cc0e3f79f47283bb2001

SHA256
3f6153e929f18684e695cd317bb8d6df0687d1e8f0b27fde6f3e6de0473116af

SHA512
3595dcdecfdc5b52850064a21762017fc6af8c5bec0f87ae7df53154f69696ee3fbf90a44dd0a4ca83df396651f9a874406f0f2079bfb2c3d2171777568839bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca4a949d269baddf990f2dfc1d1a9a5e

SHA1
1d5103ea8669b35a8a93311d2808f7e90e276ceb

SHA256
eb67430fc270578a743dd005e58134f577a244d8f387339708b7262509ca044e

SHA512
f763da64e4eb234f6d8fe1234fa0f6d2faad57c53a4212dab67c35bc403bbf6a29e70732414254ae6509169bc48f7fa30593ea02ea2989a579190c003fbdaf00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
690f8478f86a88586b09ee7ec1ef8028

SHA1
e64d880194de7cce7392c854bae6bf43f913a3f6

SHA256
5f3feb0d9a820f80d2d3ef385b6fcbda413565b92dd7a04e893da372a868a3c2

SHA512
7856a637b8eadded985308413dece33d249ae2e33ca8a8a2b10844b96bb7b73c2e661a4fe9431b7240574dd766c3fdcdab9ba47924324365f57f16c55de48b3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a96c0ae726904cea6de9d2ad2a13786b

SHA1
9315c567d7cfdb1e2692f754cd5237b1cbcd71d1

SHA256
280decad7a5d4804c9cac56c82c166db59842a3311e8431cdda6995c95b187f8

SHA512
9503d37428507c3ca00f50f3c9cbeeaa89d24f2b007dd0db8c3b8d1e9debe7da499368b5077ee05ef7e313d1db372f7d950c9e435cf3866ef155842d08b483ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f008e4281f05ecf14bd26729600c6b55

SHA1
4539691e20431afd0042a2510ed1c23061541747

SHA256
9e364147d7524daeab1d25fb66ae8100da70a9853cf36d3e3e71e106806eee52

SHA512
3f63f9f876da9fc807c777792de6c49b95bda1f7dec31f9a9eed75ee4d03683100755b66ec56934819cfae76d3c25cfd79fc99db822b922069d682966eb41f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e5dfafbe1b7b5a69e1fdc630b7b14d1

SHA1
571467cc03a36cafb7fd456ea24f48c0c36c38c1

SHA256
3e31bd0263a76a7c70de32ad4fb242134d9ca4070592277b8b9d208029bc368c

SHA512
032cad73741afd9b0f152227efb802e1df26934ad1ffc7e27763d2174a8e6a488baf8c72c9abc64f0aeaf057d850da5168a2dfc555a337f95d71c1ce75827ea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6e6b814f7ecc501b76bc0e2c58a1870

SHA1
e0264eaf9be83abc3ee24af6235dcc12e0bb24d6

SHA256
d828d414a602e8cea08081be9b7c5a7acae416f1fbeb5ad6f0b11227dac260f5

SHA512
980da872debfbef0c0fd046dfc6e10dfdd08632606d31eef98d055e1b47e456fac51095b47568e77b20a960d611e3523d9e2e27855bda7bfd3f61a8788956862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e8d4835f7c3624dbb1a12cf56bba083

SHA1
2e41d78fb8920a5675c472a4cbd1e35d5413e98e

SHA256
f281d1e9187026b26a2ed29e8a3ff9b180e6013b211a21411bfb0df78ad8f4cf

SHA512
7d31830689ac792ec1176f0f42fbd115e27139e8053dfe2c7d6bba5328358a23eb031bc6aa676d01c99d4a47550e7a5bafcde36d990c7934a5f6aad2ddf56e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cecf2db2d29bff8a527c421c8d13e60

SHA1
5c9bf62f78301759daf62582637d9a134652f311

SHA256
cad165dcd584b22c3c43e4e19a315383ff91d92f3b225f71c411c1f9e1424da6

SHA512
726acc1ee670eec7c7bf62151409f80d1ccd11fd12255b3b7206d6f458c18d0ad035e618371df2ea72fd49aff15e11cff5acff6489dc37b7e4a80e15d813090a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f904b3f0bb8ee13f9aea180c552d2947

SHA1
f9bd1a38839fafd0f767e72ea0dfc3965961489c

SHA256
ab0a58555145517c86c078f5020ebe005cc71e7643d0f1df3fbb110dd13193b9

SHA512
c8c2433a789530d35f0d96add82b7b331ceb3187ccc30cc8f64a680f11a34ba36393b6ea6e5d9dc389b7de0b278cecfbff1c13698d7aeb38544be739a0e08e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b68de8c68cd4cc5ea25caef7b269524

SHA1
aaefcb6688147f88d80b4ddcb462841a3acaf2d2

SHA256
20d4dce159ea55b30fb1e5fb1266e7a18db5e82023ce8f4ec0f0f8a0470211d7

SHA512
de9a50f7b495dd222d429a2cc800bb871f07518df2ee7dc471d457e108ded90206f76760410b033df1b946ae7ae126ba744c29cc2f7f8f73a4122042e2c33718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2b75fd2115370fab1557be60299491

SHA1
35a60e37dcbf018c4a8d36a77a8b1a68aeae7dcb

SHA256
ac084ce057c70b09c15d407ef54f8274620f1939424f7a51734b7927e43734b5

SHA512
2d8bd91f80874b99d407ddde2a37b5f91b70b2b4a2825d66fa9032db1aefffa659daa18f9237c432e25c080ea5e31c4c3ab9659345dc19fc51b62c9664633f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF644.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6B4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
F:\AutoRun.exe

Filesize
284KB

MD5
d47ee31bce4678978e94e49c04b7de98

SHA1
663f6a99f5e0f665bddbed86bf062d73c8f39ef1

SHA256
28b0a9a43f3cc82d4015d27592d94c2a7d43c08d36f84be5bf676084231bdab2

SHA512
d6cd7bee3d9bde1229dfd8cc0cf18845f0dda6677a9dd38eb47e1297471c1625faf6ba5df79668b9daf05f67268b373552ce80fcd66530bceb21972dbf8de9aa

Download Submit
memory/1956-20-0x0000000003430000-0x0000000003597000-memory.dmp

Filesize
1.4MB

Download
memory/1956-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1956-2-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/1956-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1956-0-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/1956-43-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2260-32-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2260-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-23-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2520-27-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2520-42-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2520-24-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2764-34-0x00000000001B0000-0x0000000000317000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads