modiloader | bd604f462bad2541a2f91249fdcbfe7db28e78c0b0736d7476aa0a6d120377bb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe
Size

754KB
MD5

f883a8fb55026cb43807545106b3d8a9
SHA1

f753f962fbc53a38a074906aacb03a639d6e6d27
SHA256

bd604f462bad2541a2f91249fdcbfe7db28e78c0b0736d7476aa0a6d120377bb
SHA512

6f35362aa42818436217de4cffd3da56dab08b4f5223bd5512a20b8c9253b28fb2bf44fedcbf4647c6f544ab765dc86b79d6e6fcba461b7fe9212cbfc31fc61f
SSDEEP

12288:BK2mhAMJ/cPlJ6ZcIX8V7XT9X66gdCk0etR34iV6HQhlB3ItwNAS6wsgfq3:w2O/GlJ67sV7hq6gdCk0e//lB3Jj6TgK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b8e-28.dat	modiloader_stage1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 13 IoCs

pid	Process
5032	setup.exe
4044	l3codecp.exe
1164	l3codecp.exe
4480	l3codecp.exe
4776	l3codecp.exe
4960	l3codecp.exe
4448	l3codecp.exe
1480	l3codecp.exe
2472	l3codecp.exe
5008	l3codecp.exe
5004	l3codecp.exe
1908	l3codecp.exe
3500	l3codecp.exe

Loads dropped DLL 12 IoCs

pid	Process
4044	l3codecp.exe
1164	l3codecp.exe
4480	l3codecp.exe
4776	l3codecp.exe
4960	l3codecp.exe
4448	l3codecp.exe
1480	l3codecp.exe
2472	l3codecp.exe
5008	l3codecp.exe
5004	l3codecp.exe
1908	l3codecp.exe
3500	l3codecp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET8299.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SETE356.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET9143.tmp	l3codecp.exe
File created	C:\Windows\SysWOW64\SET21BC.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SETB32E.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET4433.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SETF174.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET74A9.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SETA510.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SET5213.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SETC0EE.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SETE356.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET13DC.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SET9143.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SETC0EE.tmp	l3codecp.exe
File created	C:\Windows\SysWOW64\SETA510.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SET13DC.tmp	l3codecp.exe
File created	C:\Windows\SysWOW64\SET4433.tmp	l3codecp.exe
File created	C:\Windows\SysWOW64\SET74A9.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET21BC.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File created	C:\Windows\SysWOW64\SET8299.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\l3codecp.acm	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SETB32E.tmp	l3codecp.exe
File created	C:\Windows\SysWOW64\SETF174.tmp	l3codecp.exe
File opened for modification	C:\Windows\SysWOW64\SET5213.tmp	l3codecp.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\order.txt	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\manual.txt	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\order.txt	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\mp3wavsolutions.exe	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\mp3wavsolutions.exe	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\manual.txt	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\install.log	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\file_id.diz	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\bestell.txt	setup.exe
File created	C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\file_id.diz	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\bestell.txt	setup.exe
File opened for modification	C:\Program Files (x86)\MP3 and WAV Solutions 1\install.log	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cadkasdeinst01e.exe	setup.exe
File opened for modification	C:\Windows\cadkasdeinst01e.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3codecp.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	l3codecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32	l3codecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D8EA000-731E-11d0-AC50-00AA00BF35C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\l3codecp.acm"	l3codecp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 5032	3472	f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe	83
PID 3472 wrote to memory of 5032	3472	f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe	83
PID 3472 wrote to memory of 5032	3472	f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe	83
PID 5032 wrote to memory of 4044	5032	setup.exe	88
PID 5032 wrote to memory of 4044	5032	setup.exe	88
PID 5032 wrote to memory of 4044	5032	setup.exe	88
PID 4044 wrote to memory of 320	4044	l3codecp.exe	95
PID 4044 wrote to memory of 320	4044	l3codecp.exe	95
PID 4044 wrote to memory of 320	4044	l3codecp.exe	95
PID 5032 wrote to memory of 1164	5032	setup.exe	100
PID 5032 wrote to memory of 1164	5032	setup.exe	100
PID 5032 wrote to memory of 1164	5032	setup.exe	100
PID 1164 wrote to memory of 5040	1164	l3codecp.exe	102
PID 1164 wrote to memory of 5040	1164	l3codecp.exe	102
PID 1164 wrote to memory of 5040	1164	l3codecp.exe	102
PID 5032 wrote to memory of 4480	5032	setup.exe	105
PID 5032 wrote to memory of 4480	5032	setup.exe	105
PID 5032 wrote to memory of 4480	5032	setup.exe	105
PID 4480 wrote to memory of 3700	4480	l3codecp.exe	108
PID 4480 wrote to memory of 3700	4480	l3codecp.exe	108
PID 4480 wrote to memory of 3700	4480	l3codecp.exe	108
PID 5032 wrote to memory of 4776	5032	setup.exe	109
PID 5032 wrote to memory of 4776	5032	setup.exe	109
PID 5032 wrote to memory of 4776	5032	setup.exe	109
PID 4776 wrote to memory of 428	4776	l3codecp.exe	111
PID 4776 wrote to memory of 428	4776	l3codecp.exe	111
PID 4776 wrote to memory of 428	4776	l3codecp.exe	111
PID 5032 wrote to memory of 4960	5032	setup.exe	112
PID 5032 wrote to memory of 4960	5032	setup.exe	112
PID 5032 wrote to memory of 4960	5032	setup.exe	112
PID 4960 wrote to memory of 1084	4960	l3codecp.exe	115
PID 4960 wrote to memory of 1084	4960	l3codecp.exe	115
PID 4960 wrote to memory of 1084	4960	l3codecp.exe	115
PID 5032 wrote to memory of 4448	5032	setup.exe	116
PID 5032 wrote to memory of 4448	5032	setup.exe	116
PID 5032 wrote to memory of 4448	5032	setup.exe	116
PID 4448 wrote to memory of 3372	4448	l3codecp.exe	118
PID 4448 wrote to memory of 3372	4448	l3codecp.exe	118
PID 4448 wrote to memory of 3372	4448	l3codecp.exe	118
PID 5032 wrote to memory of 1480	5032	setup.exe	119
PID 5032 wrote to memory of 1480	5032	setup.exe	119
PID 5032 wrote to memory of 1480	5032	setup.exe	119
PID 1480 wrote to memory of 4708	1480	l3codecp.exe	121
PID 1480 wrote to memory of 4708	1480	l3codecp.exe	121
PID 1480 wrote to memory of 4708	1480	l3codecp.exe	121
PID 5032 wrote to memory of 2472	5032	setup.exe	122
PID 5032 wrote to memory of 2472	5032	setup.exe	122
PID 5032 wrote to memory of 2472	5032	setup.exe	122
PID 2472 wrote to memory of 3932	2472	l3codecp.exe	124
PID 2472 wrote to memory of 3932	2472	l3codecp.exe	124
PID 2472 wrote to memory of 3932	2472	l3codecp.exe	124
PID 5032 wrote to memory of 5008	5032	setup.exe	125
PID 5032 wrote to memory of 5008	5032	setup.exe	125
PID 5032 wrote to memory of 5008	5032	setup.exe	125
PID 5008 wrote to memory of 2840	5008	l3codecp.exe	127
PID 5008 wrote to memory of 2840	5008	l3codecp.exe	127
PID 5008 wrote to memory of 2840	5008	l3codecp.exe	127
PID 5032 wrote to memory of 5004	5032	setup.exe	128
PID 5032 wrote to memory of 5004	5032	setup.exe	128
PID 5032 wrote to memory of 5004	5032	setup.exe	128
PID 5004 wrote to memory of 2964	5004	l3codecp.exe	130
PID 5004 wrote to memory of 2964	5004	l3codecp.exe	130
PID 5004 wrote to memory of 2964	5004	l3codecp.exe	130
PID 5032 wrote to memory of 1908	5032	setup.exe	131

C:\Users\Admin\AppData\Local\Temp\f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f883a8fb55026cb43807545106b3d8a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:5040
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:428
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:3372
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:4708
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:3932
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1908
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:1192
- - C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe
    "C:\Program Files (x86)\MP3 and WAV Solutions 1\l3codecp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3500
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
66KB

MD5
50148bf40b335b62e385f39db091185b

SHA1
d021b22e55918d8dd1995f1ab830830d23c49194

SHA256
b7af6585175ac53376ed33d794c8ae6fae07ad975c16cb8bd1d90f67bf6c24dc

SHA512
12cd7e4f50a2bd7f93d1e4fb3d2bcf966edf77a55ebac786decc063596beaa4e01b1798fe558387e2ecd15e10cd7fbb8d5996b420221043ea38378348ac6202b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
5ba8f0920690f5a9038020bb4cbbdbd9

SHA1
c904bf1c3483b8b31745140b8339be314f46f16f

SHA256
042845d2197ef6023a8ec877c1bb75e9b14e5fc83099c014639407b912760eef

SHA512
6b6961f85621f32ee6596a4c16a1d6a360dfb312e9e2af9ee271f6752eec77d077ab830ad382ce7d6ae61d55698fbfea7072564a6a09cd2b09454f484c0e00e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
7d4a0d6c685107ac1b5089806cd4273b

SHA1
17d431159ae4df0025e85ab0cc0e534808c0607a

SHA256
6c6fd79c7f2e248bce830f08937625d4d16466fd7a3e72163f0528d058b31de5

SHA512
939334ffa5ca461fa99ce9ba80a0dc72a4205c1d0142bdd7f65deb8cc5ca1eb49cb8461291565354b83b63f62299912000de1194c407c2d63c28a4aac4046824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3codecp.acm

Filesize
277KB

MD5
606fff15af1daf3a017d0df9e64424c1

SHA1
de79da194d3e6c717b0e6283c356fdfb08ab0e2f

SHA256
0304cb1b678c878e8d208439757aa912d52a86a0b4f6c2fa4d2ac2362e374c2f

SHA512
aa792a553bc81a72d02ec1b252823b3809f0a17230ab5e6d401a4f097348d49397281acbed825dbd1cc439bbd36f007e1ea25af23c205c54e1350871d23eaf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3codecp.inf

Filesize
2KB

MD5
ee0766cf6f006ea698673981ff421e63

SHA1
21fd3c6520b77ad94cf036d2b1bed46da8e55b24

SHA256
8e428773546128ab7cbdfdbf8836291de4e7fb25d056d058c71063471118201d

SHA512
a0af6483cf565d05592c44106548e5d9734a9093f178cb25d74d1eb5ffc2497d36b6f56f49de51eb97669cdabd8103924e95afddc75bad0c57c8ceded5859884

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log

Filesize
398B

MD5
772f9b6fef11f6894732e580e4de1a42

SHA1
d0077411ba651a706aa275cb0f4ca8725803adda

SHA256
124f2ba9858637346df2eecaf3dfb0bdfdf2cab986422bbd3173c3fa03f7de28

SHA512
9507527169653016a25a178cb2a079c8e6bbbc409d105b77027a056474ddb9de1bf861dcb0c6451d51773c1fc4b645ecabc4fd9df3f23b8b48a3576f99f9ac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bestell.txt

Filesize
298B

MD5
3c8805e13d15fce13cddcdf821857ac7

SHA1
f10964db70b772030cd377db69b97c4fddfbbf06

SHA256
20834456942cc51a10c6cc35876c8df17170ecaadb9d4469db34b55ec5e73f42

SHA512
3018efc2f3c52239bbffd4727aa76a0818fe203249ffe2f7f3e88b9978a033892985f19050c3d85da847b3eed34fad4cf4f769d483d228a9ab9e6ba7e13f18ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cadkasdeinst01e.exe

Filesize
80KB

MD5
5bc0f9317b2d9309a60519bf5dd74093

SHA1
727e274046e223733695f371b199371c46b50707

SHA256
02dd77caabecca810ca31dc06fe8f4e1580c76528b2fce9e54aa12092196d43b

SHA512
1649cc8737332e589e828620851fa6fdb8110061190ce10035fc6af7e4d2a7273d65a6fc7eb534b2debc031cbc22b01c9ee6f6753d0f9e062ff77b9b854cb723

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file_id.diz

Filesize
800B

MD5
b0083c240e2851e5a12e5b7569fe29b2

SHA1
20628256fc07dff7a8f782b47aa90b23f5fac07b

SHA256
a8e0a2f15cbedc8f6483e4090629301f743cc3bf634770ac4131b57ba524a53f

SHA512
2a974227d46435d47650ffd8730cb545b044e654060076ab8fae7c00fe43df5224d11cac7b36fc0f562f83799f474207d47eb97e8f16680b5f719215fa5348be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\l3codecp.exe

Filesize
299KB

MD5
3f5b1d60c5d81d0c720e5129c8e73de9

SHA1
0ea06c7d3a0128b5aedf2c11ce06a8e20c2ea749

SHA256
aba61895fff359e0fe3c0b3762a1fc25478c1f354f8f0c25a0bb917d3a507a3b

SHA512
57a31c3cb39bd16c3dc3220c409024aa2dc9baa7b4c8c2407b002a8eebc682445e42d8a5f65d3eb71d7a51a2307412614fd6fcb9c60fcf70d2eb3c7f071ad451

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\manual.txt

Filesize
3KB

MD5
321aa3af398aeafdfa4b88d41adc4912

SHA1
98b35415de8e9c499fe758c3e661c2707e66d19e

SHA256
3c8f6d29eab0e31e3d81acb8c908c721b9fbf91da4f426f202bf42f4b7c3afbd

SHA512
8df21cdd4397ef22793beab22d00444531ccf3b22386824ef76ce2005af9ece649853da637c06a95b922b241ee37d2324fcc6688c702c6d5d9942387607499a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3wavsolutions.exe

Filesize
1010KB

MD5
a1e71396dd82024e91943e769306a396

SHA1
e538d4351ba6867ec54e7978d17e11c32af204a0

SHA256
423ff88d3e86c2db65f47e9ccc7f6eea9e66c056e3881fe091243a0380985e91

SHA512
2ae0abd66da4ac446eda055af4cfee08b4dde48b89cbcdcbc22125b6ee7686a2b295ee7f141d76176ac8aaf30c432cadc08717601b035c982793ed0805fbeb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.txt

Filesize
208B

MD5
3bc1b7b708d8b351ae484be4c7e82f65

SHA1
276eb83d81e9b6337c568757437bf762d54f1755

SHA256
3437ea948a41a358b8c5e4d182d521a04a00517ace46bcf29dad0d890a42f4f0

SHA512
27600672bdceb70b1cbcf458dcf3754fa73e89ada65ffef6d1c851364ab6b8049cddcad70ff4043ae9db718cea30e0f0f010ff344c306c294d04401b87df8c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
92KB

MD5
a5e4d12b2766075ebaea8de2ad4865b9

SHA1
5de886f171824e35b78160e7a24864e538d5d0ae

SHA256
3a8dbe69d4e83c762d287e4c9b9ec1a2319bc362f95f99937d3d03d8dc0b35e6

SHA512
c9d3d9ffce6fe46e81567450662307e49886d4210e2fb75d537a5ac09a43bf0c8d25a79e47204d793930ebfaf216dc4f383f588b614eec06596038112a0fbd3f

Download Submit
C:\Windows\Temp\OLDF174.tmp

Filesize
185KB

MD5
09f03e4ab9784a0c7f7de62b796a33fb

SHA1
43aa99f202b990e77ceee4cdc311baa98aa57fe6

SHA256
db582cfc4318d4fb1b09cd6d07e2b6d959e69ebbd49a218f44b67e32d4983ff7

SHA512
e726931b79fab26ad98fc66a9f02dd9d3007f901e3ae666b114a6bacc7728d7fa35c2cb4a3bebd6b7e2377866d2a8c99061ae2e07cb1a9858c9869afd4e57763

Download Submit
memory/5032-94-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-177-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-282-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-365-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-428-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-511-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-542-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-616-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-699-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-761-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-844-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-949-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download