modiloader | 7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Size

1.2MB
MD5

efff2fe18024a3094929186dca954315
SHA1

2ba5cea58730f11b9b7d3fb582db68dbc8d16ca4
SHA256

7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1
SHA512

0d1f99669047d6fa6e6614928ee467708a224bc1dc947982d356d007bb1ba24a65de832b6a0ef1b24b0dbc5c5e02a169bd4e8bd3bc3ee4366979ff0c1fe3f872
SSDEEP

24576:LqyeHypU4RJK007QGTojfj7XuHtXJ9pcvyZSQYBWt:nIypK7JTkLa

Score

10^/10

modiloader xtremerat discovery evasion persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

nerozhack.ddns.com.br

p ƒalonedevil.no-ip.org

gameszero.dyndns.org

Signatures

Detect XtremeRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1180-92-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2516-97-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ModiLoader Second Stage 12 IoCs

resource	yara_rule
behavioral1/memory/2084-65-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1652-64-0x0000000000400000-0x0000000000455000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-59-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1652-38-0x0000000000400000-0x0000000000455000-memory.dmp	modiloader_stage2
behavioral1/memory/1652-37-0x0000000000400000-0x0000000000455000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-56-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-53-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-50-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-47-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-44-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1652-39-0x0000000000400000-0x0000000000455000-memory.dmp	modiloader_stage2

Executes dropped EXE 9 IoCs

pid	Process
400	RSOP.exe
2644	RSOP.exe
1180	RSOP.exe
876	mstwain32.exe
320	RSOP.exe
2852	mstwain32.exe
2276	mstwain32.exe
2976	RSOP.exe
1852	RSOP.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/files/0x0009000000015d2b-13.dat	upx
behavioral1/memory/2248-67-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/400-69-0x0000000003920000-0x00000000039D1000-memory.dmp	upx
behavioral1/memory/2644-79-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2644-83-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2644-86-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2644-84-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/400-82-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2644-75-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1180-89-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1180-92-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1180-91-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2644-94-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2644-73-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/400-21-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2248-20-0x0000000003F40000-0x0000000003FF1000-memory.dmp	upx
behavioral1/memory/2516-97-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/files/0x00060000000055d8-109.dat	upx
behavioral1/memory/876-160-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/320-124-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/320-184-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2976-191-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe"	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe"	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Microsoft\\Protect\\System.exe"	taskmgr.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2248-67-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe
behavioral1/memory/400-69-0x0000000003920000-0x00000000039D1000-memory.dmp	autoit_exe
behavioral1/memory/400-82-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe
behavioral1/memory/876-160-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe
behavioral1/memory/320-184-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Microsoft\Protect\System.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\Microsoft\Protect\System.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Protect\	taskmgr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 400 set thread context of 2644	400	RSOP.exe	31
PID 2644 set thread context of 1180	2644	RSOP.exe	32
PID 2852 set thread context of 2276	2852	mstwain32.exe	42
PID 320 set thread context of 2976	320	RSOP.exe	43
PID 2976 set thread context of 1852	2976	RSOP.exe	44

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
File opened for modification	C:\Windows\mstwain32.exe	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File opened for modification	C:\Windows\RSOP.exe	RSOP.exe
File created	C:\Windows\RSOP.exe	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
File opened for modification	C:\Windows\RSOP.exe	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
File opened for modification	C:\Windows\RSOP.exe	RSOP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSOP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2276	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	efff2fe18024a3094929186dca954315_JaffaCakes118.exe
Token: SeBackupPrivilege	3004	vssvc.exe
Token: SeRestorePrivilege	3004	vssvc.exe
Token: SeAuditPrivilege	3004	vssvc.exe
Token: SeDebugPrivilege	2276	mstwain32.exe
Token: SeDebugPrivilege	2276	mstwain32.exe
Token: SeDebugPrivilege	320	RSOP.exe
Token: SeDebugPrivilege	2976	RSOP.exe
Token: SeDebugPrivilege	1852	RSOP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2644	RSOP.exe
1908	taskmgr.exe
2276	mstwain32.exe
2276	mstwain32.exe
2976	RSOP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 400	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	29
PID 2248 wrote to memory of 400	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	29
PID 2248 wrote to memory of 400	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	29
PID 2248 wrote to memory of 400	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	29
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1652	2248	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 1652 wrote to memory of 2084	1652	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	30
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 400 wrote to memory of 2644	400	RSOP.exe	31
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 2644 wrote to memory of 1180	2644	RSOP.exe	32
PID 1180 wrote to memory of 2516	1180	RSOP.exe	34
PID 1180 wrote to memory of 2516	1180	RSOP.exe	34
PID 1180 wrote to memory of 2516	1180	RSOP.exe	34
PID 1180 wrote to memory of 2516	1180	RSOP.exe	34
PID 1180 wrote to memory of 2516	1180	RSOP.exe	34
PID 1180 wrote to memory of 1908	1180	RSOP.exe	37
PID 1180 wrote to memory of 1908	1180	RSOP.exe	37
PID 1180 wrote to memory of 1908	1180	RSOP.exe	37
PID 1180 wrote to memory of 1908	1180	RSOP.exe	37
PID 1180 wrote to memory of 1908	1180	RSOP.exe	37
PID 2084 wrote to memory of 876	2084	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	39
PID 2084 wrote to memory of 876	2084	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	39
PID 2084 wrote to memory of 876	2084	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	39
PID 2084 wrote to memory of 876	2084	efff2fe18024a3094929186dca954315_JaffaCakes118.exe	39
PID 876 wrote to memory of 2852	876	mstwain32.exe	40
PID 876 wrote to memory of 2852	876	mstwain32.exe	40
PID 876 wrote to memory of 2852	876	mstwain32.exe	40
PID 876 wrote to memory of 2852	876	mstwain32.exe	40
PID 876 wrote to memory of 320	876	mstwain32.exe	41
PID 876 wrote to memory of 320	876	mstwain32.exe	41
PID 876 wrote to memory of 320	876	mstwain32.exe	41

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
    3⤵
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\mstwain32.exe
      "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\efff2fe18024a3094929186dca954315_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\mstwain32.exe
        
        "C:\Windows\mstwain32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
      - C:\Windows\mstwain32.exe
        
        "C:\Windows\mstwain32.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
    - - C:\Windows\RSOP.exe
        
        C:\Windows\RSOP.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
      - C:\Windows\RSOP.exe
        
        "C:\Windows\RSOP.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\RSOP.exe
        
        "C:\Windows\RSOP.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
- C:\Windows\RSOP.exe
  C:\Windows\RSOP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\RSOP.exe
    "C:\Windows\RSOP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\RSOP.exe
      "C:\Windows\RSOP.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2516
    - - C:\WINDOWS\SysWOW64\taskmgr.exe
        
        C:\WINDOWS\system32\taskmgr.exe
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oamixao

Filesize
9KB

MD5
1cae2b547a78ece24949e7abc5ce0832

SHA1
54c4b7d4973c22818f87f8a5c5c145e408c65095

SHA256
b4efccf8457046aaf4c5b272addd3299003f41ef19bad993ee2be0554a2922ce

SHA512
786a678a513f09528335b48fc9e87c0c0e12f795090bb76f27a74fed522bcb0bf842c2b649e1bc19d2b22dbbf76a83a5d0df8e70db242e258de97758ebdc56d8

Download Submit
C:\Windows\RSOP.exe

Filesize
300KB

MD5
a87e455284d5aaf624c6c419fa7f9bed

SHA1
dd7335f04ef50375b124106cc599d4def55f40ac

SHA256
3cdc6602fee91dc53c16573cf2f53dbcec491d53a0795312290a804a247a81a3

SHA512
000fbf010fdcc5d47be1500372d8ca4d2fe399a4c0e1a9299da5e42fa0fae77711f38be13bab1264e8dd78f321ac79fefdcea52953749756f8d33c225842ae32

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
a1efb85344da33edeceb6e7db669f289

SHA1
c1af0dc6dd034017a7687674d1162645789809ac

SHA256
4c78a6a35e38fbd6f0f7252fb6caef183174ce77e79bfe98b6f15aadde073c89

SHA512
5887488bdcca58cfefacf315e8f70c77ca3f34eeaf5308a55c069c7d71cfc7e1e88700733f83db90d9f204ff6be45a84e24e813cb9f7bf6566b926a783df31d9

Download Submit
C:\Windows\mstwain32.exe

Filesize
1.2MB

MD5
efff2fe18024a3094929186dca954315

SHA1
2ba5cea58730f11b9b7d3fb582db68dbc8d16ca4

SHA256
7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1

SHA512
0d1f99669047d6fa6e6614928ee467708a224bc1dc947982d356d007bb1ba24a65de832b6a0ef1b24b0dbc5c5e02a169bd4e8bd3bc3ee4366979ff0c1fe3f872

Download Submit
memory/320-184-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-124-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/400-69-0x0000000003920000-0x00000000039D1000-memory.dmp

Filesize
708KB

Download
memory/400-82-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/400-21-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/876-122-0x0000000003F60000-0x0000000004011000-memory.dmp

Filesize
708KB

Download
memory/876-160-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1180-89-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1180-92-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1180-91-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1652-29-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-35-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-23-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-27-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-25-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-38-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-64-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-37-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-39-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-31-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-33-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2084-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-50-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-22-0x0000000003F40000-0x0000000003FF1000-memory.dmp

Filesize
708KB

Download
memory/2248-67-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2248-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2248-20-0x0000000003F40000-0x0000000003FF1000-memory.dmp

Filesize
708KB

Download
memory/2516-97-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2516-95-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2644-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-83-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-94-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-191-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads