modiloader | 1eb0119af5d3e69ec00a43a3c3caffe122e6cdcd257aabd2e0a69bba2ba45a4e

Analysis

max time kernel
145s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
Size

474KB
MD5

d9a524baea6be9a3e06d5a133ed319fd
SHA1

145d00ef2d457cf7154d2c83bf6a0e59262d95ee
SHA256

1eb0119af5d3e69ec00a43a3c3caffe122e6cdcd257aabd2e0a69bba2ba45a4e
SHA512

6ac1d78de794df4461fd15ae5ab2af738dee94da7fab29a84b6ec2775e637d04f969664539a060708530c9453d8fbd379dba66a0baf717c1fc671d530afbc22b
SSDEEP

12288:iHLUMuiv9RgfSjAzRtyueohiZFoslZFfuKWU0Su:AtARTeohO/D2vBSu

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x000700000001956c-13.dat	modiloader_stage2
behavioral1/memory/2800-39-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-475-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-478-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-481-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-484-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-487-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-492-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-927-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-930-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-933-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-936-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-939-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-942-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-945-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-948-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2800	serveturkojan.exe
2452	mstwain32.exe

Loads dropped DLL 5 IoCs

pid	Process
1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
2800	serveturkojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	serveturkojan.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1308-28-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-0-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/1308-28-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	serveturkojan.exe
File opened for modification	C:\Windows\mstwain32.exe	serveturkojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serveturkojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9eaeb1ffee4c64c922b8e264136aa33000000000200000000001066000000010000200000005e95ddc10996a2a6c9f213c6b37e513557bbdefb815964e985f078db10f4bb38000000000e8000000002000020000000bd8ccc7121cb1207d91faef7a516d0733fa27c1ef7ce75e9aa2322e8df74ae2820000000c9c937a1359cc4bf033f8e7988cf71a1b7c6699ac72473a6f792e41129745ff340000000b6265e7e926093028a378d3fcd24da046862e357e974b490fbb434af96f79d5b6d068c39c91c68beb8ddc6d1b707dfc609052177801d0dc9808ded17e2399af4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7029a2c5364adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439909540"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1237D61-B629-11EF-9DFD-D67B43388B6B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9eaeb1ffee4c64c922b8e264136aa33000000000200000000001066000000010000200000001ced5753bcf17265dad06a80f15ecb0a05b88707e6267a92985f989ca84be984000000000e800000000200002000000000e6fcb11a403a1cd19965f57a0ab83d47cf78aa020df029d04f7d9adf0b246c9000000073002940061ebd2795e7ed3d278a96e0344f3ea3b57f20514c8a8f292b58d912fabebe24f06c7bc3346ed3e05ffad3ec099facc4d2091ae04d2b9dffaf7ccf845399e459aa7f12070a332b9b51cc942726f2408d8c6ce5d208593910909ff62128dcedc2e162a6aa25b234c04eca939cb002fdcd9a3935f11a80d5dddb9b9ffb86868831ab326a61ae356770867fc4de40000000a8ccdb10f6d0f415402311378b88bfd1603931c15db71cc8e7aab13e07d3522929a3d4f1792663a4bf94d474077bbf76aa2f52e8806c6eff078c17133d871ffa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	serveturkojan.exe
Token: SeBackupPrivilege	2828	vssvc.exe
Token: SeRestorePrivilege	2828	vssvc.exe
Token: SeAuditPrivilege	2828	vssvc.exe
Token: SeDebugPrivilege	2452	mstwain32.exe
Token: SeDebugPrivilege	2452	mstwain32.exe
Token: SeDebugPrivilege	2704	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3048	iexplore.exe
3048	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2452	mstwain32.exe
2452	mstwain32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2800	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2800	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2800	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2800	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	29
PID 1308 wrote to memory of 3048	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	30
PID 1308 wrote to memory of 3048	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	30
PID 1308 wrote to memory of 3048	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	30
PID 1308 wrote to memory of 3048	1308	d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2704	3048	iexplore.exe	33
PID 3048 wrote to memory of 2704	3048	iexplore.exe	33
PID 3048 wrote to memory of 2704	3048	iexplore.exe	33
PID 3048 wrote to memory of 2704	3048	iexplore.exe	33
PID 2800 wrote to memory of 2452	2800	serveturkojan.exe	35
PID 2800 wrote to memory of 2452	2800	serveturkojan.exe	35
PID 2800 wrote to memory of 2452	2800	serveturkojan.exe	35
PID 2800 wrote to memory of 2452	2800	serveturkojan.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\serveturkojan.exe
  "C:\Users\Admin\AppData\Local\Temp\serveturkojan.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\amor-69.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7d12fa9c6df10d4e3d2a524f73f18b0

SHA1
2d01d255a3d846ad28280587a7968ef362812b98

SHA256
75ec2a032b73737b17b5e8ce9bbd39302ba4ed9e82862dfa95089da2fc9632e7

SHA512
5acb62f308758153ec88542b45a39ecc811e8c3bed2faace06e4057e517d14437cc6356b179f519a476a22518de3e26e8fff49a367692d5ca872a419aa906fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ada184685465c1a4dfdff91e6fdcd61a

SHA1
5a494df65d5029bf0d7360c73a69b5407063752f

SHA256
122d01f38d518eca0c01b0e3aafcb2a2a8b2c1447ca47bb19687c450dfa08ca8

SHA512
804e9f09f14baddb78160c4506eaaa8ebc7c94ce460a2799ba2faead4db1051c9137f8ca2997adb55e1cbab2719dedad87983063647fb2091d427574591b4915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
219fa2841baaf413f1c1618a8cfd9f1c

SHA1
bf58d5becee5454ec6f3b150dd0bb56fcaf7b588

SHA256
9a973eabd0a1be589e92b973e3f8870f5a51b3da921dfc4eb6ef8140cc0229fd

SHA512
5565d9390ad22df46b436bea03c4df4589be66546a72384cf38cb3e47f919be016a3dc68a6fe0d9254f4c50956478be8cb45a03e5656feb37b605dfadb41efd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75c68c547f0f3df07d9763b66a2f358b

SHA1
99d91dfdd0659c282e07b78d961b87fe12494122

SHA256
bc6688d139931624693ff58bbff59aebaa56beef5976df7f7886a549939ae0a6

SHA512
ce0a80ca9c1df75fc9b761af65674bcc9344d7d95f95c6a0660f9b9e3c1b500f3b25b410df7ded98121626ad93c74a25b95b60a62f9bd93cf84685c226a5c407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b351f979c8595fca8d42e9d5ea9e938

SHA1
542d59cf2d44fd8a01bf72711f55afd1e8b8c846

SHA256
cd3f3c2c3943022bac148dd0c38f1f5642fb8acb047b721758edb0c6836ed815

SHA512
d083cf3d0ec8dfa248b12d469df6850c3b8e1fd86fd7bbe981210f135691885e63b5fb72a5cd4f4368ce65689cb9af8f18fc7dabd706403687050a4db3406dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b55a73d9393a331108667009c16d9622

SHA1
c416d65800e39f1fa62cf1ec6d573db831b72158

SHA256
8acb57c778c17be3aa09dd20d5163ce483d3fccc8dc1cda280056484fe5e8c9a

SHA512
1ae2b07dc184721aec1b72802b026a76e27b5938c7abac1f6785f532309435fa0f6d871bf6209156b57e93033a5e6d99ca3f2b3fa6b484ac561a99a5c61f77e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0126b31ee3a8e789eb4a958d46945a19

SHA1
b8ef996f1551806c7e2db7ca43d2d4467498e2ba

SHA256
570862ebde734ca0a44f72f4658b141d49e7af187f63980185f92f2810328968

SHA512
abccf0e47f623f2f2dbba2daf09c2573fce8470258c09a6c3598cce140350dceb28b70c7eb954906ec0023fbfbc8ee5a0beae39a6a1a7b26d51809611aa10dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
566885d68bf86a0646f96209d5b6425f

SHA1
86208dc12ce1ec8d53e2f255627bd3dc4851fdb0

SHA256
b307bc2924bc12345dd55515887a36d12e04f86cb5e68343b91d72a6a0889f95

SHA512
784a3e8fecc389d9bca26ac4e56e1c02ea6371c6fa8e8ac18e44cb892d196a7e8c4c0c88f9d4e0a4eb76127fef2f9b6e95432c2224a33b4d69ebca7b41eb1057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b5068910455251e6c9833743ea8da1

SHA1
e76a6c932f0facfad8ab72b75741a45730096bf8

SHA256
307f44e9bece7ab12a198d91ea0a22550e4b2d727d36acb7c3a6d439631d6cc2

SHA512
26f5dc8a966530aa1681103cae19bcdbd238016709e84e43d8ee83c031751bcd638c9e810dd3c66766dab773f1edb04e05d06955489aa27843179019a4dd7e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e8a0229041c883f73b4a79dd9818f1

SHA1
987e3d3aadbe0b47f69608d1fcb7685d2487bb45

SHA256
89173da27b2031cc9d9c6c2faadc48886b6d75bd229e8d001d3effa34c2cfa7b

SHA512
2d28795e8e5ea9583e717ef5d4638ccc1cfbba4d535574e53d444f1a4691f53712202b881ddd9dff6f8f41f0d99b7aede9362d54b843109b3943ce3e53c9e3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8023508ac3218fbecd583766ee7a11cf

SHA1
31166e540d41a690bfb15a1f54c31445a48cdd4e

SHA256
1c6db76601fbac120f74380b47fb311a13b67b048c65e402642e6f233b0354df

SHA512
5ce8e859128b3d8922051528e77704d260521f6f0b97b7b23f7f5fc53fc54043dbcb6de4819dfe284947c0b92f532ce49584920d8f02040fb815d52cc66dc4e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ba7b57edc7640173563ab8dd567cc26

SHA1
592a7d76aa1237e3684f66e763e2721afd63592a

SHA256
7d5d360044db607cd7b923d75598b6b6402f240e18e1252c918ceb2acad66c5a

SHA512
e1b576d0f812812cf52ac11d94d176b833cb85cc0a3f797c982be07d1170a2e60e7c30a621f339ce3ec109288ddabd9ea697813b98bf655c820b9516023d15e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14a0f2ab0c8a4967390d8dcf023154dd

SHA1
56bcd57140fccd40749b4e8c32ccd751ae1463b9

SHA256
7b5a69554426ec35dd6c2c72c0ea8f26b5dca1c2d953b8b5afe5c795c52ace22

SHA512
fe68eaaef235e02f83f815d543069070880da25ad22a1520d3f889c2f5b2a57d82781b35066a3971de269fbbcb121de98198b7d6117f78c5a018d83b624e1752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad988734f7ee21f58c6b77d2dd08e73d

SHA1
41cd044caf1ea313be00b1a36ca9003ed345611a

SHA256
9b56dd14d736045fe4f5f260c47198d1e875f4d209946ce08b434279ce455ae7

SHA512
f1c2240b58f26d5bf9f6a0e36a04252cdc7ac04024f5762913d5c2fe29e8a5414b36be32ac49f8b0349793de905f26c547824c6b794db0e1f86f7089303fc2f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03ae852ecd2e41822269cfa5fe3360fa

SHA1
65403473551b03e8ddafd950d9c16e272ea70fac

SHA256
11087146f06f9f3d5166dd4da34267bdeeeadc1aa58c36c31e0c849ebd22ade3

SHA512
9ece62f62b5b225829c9b72f1af1d8e181cb88f3ad092f4b8e094c5dc80abab03f0e34704d1015468eef83492d3f6356f52a6def66faa4f49f573065f3447a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2b684d13198cbb2ed7c712de9677307

SHA1
0ddace4a20998ba892e8df22d2131923711ca261

SHA256
a0aa2bb9ed61a6b3e331da9efce755bd0c6cad80491b6501be83ec38e3c6f7a3

SHA512
44effeca87691f288583db79418b1569d45113be282426b007be70e364fe8113cba1dc6b69d2c11f874494b2df347158ae02e2556ca7849f4882738b2aeec5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41db4d85315fb0998b035214835f9ccd

SHA1
7c8a5fc7d638ae5dcd0c2c726f3a94b35e9e1cf6

SHA256
ef241c91d385aa499fd2bed101a8d2312f002acee0b4526f9826572500aa62e4

SHA512
09936d61b7fb4b0f08da4742a78a6337a640f361366e0c700182f96037808378ee045102bbcc3440aed27b766c55c1fe1cd6da8dd2c8f4737c33651a36330f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0662712ce6d70e06292e780eb6b9cc0

SHA1
22134b22b1a946b4c1cf0680f96b43237202aa02

SHA256
f97bc959af78e538470957ec70cb257e4a8faa7271581fdeb910cf7a1d6dafba

SHA512
1b1167c7e8fef54270e9a380fdce0bbb2ec7035af6a8332ee00b7315261142078bd524e23ded19128f22e418b6c1429e94d82def45da5dc2822e73594f5bdaa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54198241dc7ef92330bf669b4a124062

SHA1
446448df9ed7efb5f0180e053ed896a2d01d7ca4

SHA256
531511d37efd56720d2d411db437dbe8640a919361f000418ac0d49c551aaef2

SHA512
743cb7fa56fdb3883fe435e8b7339ea771c7821cb81be05006fbf37e729cb1bc6ff9716cedd4d3749249c3f7255dca2ff5e394f870efed8d722dc77dc3784114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B7F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BF0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\amor-69.gif

Filesize
40KB

MD5
4e7326cf5b7ca348f88e39902facd6ba

SHA1
1a61f2b901b3b6f29f23000e8592b5310825e355

SHA256
48ca6048d24f8c9fca09c09a49830f78ed0c448672447a8642419f9d8e4b2348

SHA512
685b83a21ef07c477a40dcf57ce15dbeadc870b89d19f64fa423983421806b9167a0f625141049644447bb8ce1d816654a1699fb0da9c9840965af456ff46593

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
a71eed9f33ab3dfde1f018b0913372ac

SHA1
a91f3311c33da1cbf3a1e10b973f660cc2c8bb3a

SHA256
49d785795c17016cca224aa61815ff4e5eafcb24c393669284ff13598bd86080

SHA512
cf378e24586bf7029c2a20b2b9a800816d1efc0e12b0338e3284133edd51878e41c9f27b195f6e4b341e35e9b7b8ce76c78c982d557d7b42018428dc6df8a9de

Download Submit
\Users\Admin\AppData\Local\Temp\serveturkojan.exe

Filesize
270KB

MD5
a327495b6fbf9b63329dcfdbf6577ffe

SHA1
8710089887b485231d34c7e34db658c599409f5c

SHA256
e4e885b886793906838a0908db5b78db035e75cb63d8543f42112d485a572612

SHA512
92b5ff1e082db5c089dcbc356d736a0329557a8ddeba10134603e1896e8eacc5c244945b461b21c97504351e997c735e69feb49e7bffb34ea4d0af0d1050c135

Download Submit
memory/1308-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1308-28-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2452-484-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-475-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-44-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2452-948-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-487-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-481-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-478-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-476-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2452-477-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2452-492-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-927-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-930-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-933-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-936-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-939-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-942-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-945-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2800-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads