modiloader | e391f4c2dfa8e02e12a763d57554241966b81dc964cd6dd016c2788fe5873feb

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
Size

177KB
MD5

fe1765be1c029907e873e457bb271001
SHA1

d67516e1fedc27a682a91ca0761ea68771e5ad6e
SHA256

e391f4c2dfa8e02e12a763d57554241966b81dc964cd6dd016c2788fe5873feb
SHA512

02709ae970bb218f937705cb0768f1a1ab79ac87d6b923345cb809aba460b2c36a284c1e471cfaafd8bd31ae9c9dc07b621875b98d8740660da55e1b11865ddc
SSDEEP

3072:hPdZSAMMXpaljlZ2VsJdL8IAygSvr+jF9/07Qwn2lKRtbr5xmEW:hqcaRlZLJl8ByFrm275R5r5MEW

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe

Modiloader family
modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/2084-4-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2
behavioral1/files/0x0009000000016dd1-132.dat	modiloader_stage2
behavioral1/memory/1940-146-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2
behavioral1/memory/820-281-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2
behavioral1/memory/3036-411-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2
behavioral1/memory/932-545-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2
behavioral1/memory/2828-671-0x0000000010000000-0x0000000010033000-memory.dmp	modiloader_stage2

Executes dropped EXE 20 IoCs

pid	Process
1940	explore1313.exe
2440	explore1313.exe
820	explore1313.exe
1756	explore1313.exe
3036	explore1313.exe
660	explore1313.exe
932	explore1313.exe
992	explore1313.exe
2828	explore1313.exe
2152	explore1313.exe
448	explore1313.exe
1704	explore1313.exe
2196	explore1313.exe
932	explore1313.exe
2988	explore1313.exe
2564	explore1313.exe
1492	explore1313.exe
912	explore1313.exe
2016	explore1313.exe
1796	explore1313.exe

Loads dropped DLL 20 IoCs

pid	Process
2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
2440	explore1313.exe
2440	explore1313.exe
1756	explore1313.exe
1756	explore1313.exe
660	explore1313.exe
660	explore1313.exe
992	explore1313.exe
992	explore1313.exe
2152	explore1313.exe
2152	explore1313.exe
1704	explore1313.exe
1704	explore1313.exe
932	explore1313.exe
932	explore1313.exe
2564	explore1313.exe
2564	explore1313.exe
912	explore1313.exe
912	explore1313.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File opened for modification	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe
File created	C:\Windows\SysWOW64\explore1313.exe	explore1313.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 1940 set thread context of 2440	1940	explore1313.exe	35
PID 820 set thread context of 1756	820	explore1313.exe	39
PID 3036 set thread context of 660	3036	explore1313.exe	43
PID 932 set thread context of 992	932	explore1313.exe	47
PID 2828 set thread context of 2152	2828	explore1313.exe	51
PID 448 set thread context of 1704	448	explore1313.exe	55
PID 2196 set thread context of 932	2196	explore1313.exe	60
PID 2988 set thread context of 2564	2988	explore1313.exe	64
PID 1492 set thread context of 912	1492	explore1313.exe	68
PID 2016 set thread context of 1796	2016	explore1313.exe	72

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore1313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 11 IoCs

pid	Process
2752	regedit.exe
2340	regedit.exe
2704	regedit.exe
1656	regedit.exe
2388	regedit.exe
1044	regedit.exe
852	regedit.exe
1536	regedit.exe
1284	regedit.exe
2164	regedit.exe
2868	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2952	2084	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2408	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	32
PID 2952 wrote to memory of 2408	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	32
PID 2952 wrote to memory of 2408	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	32
PID 2952 wrote to memory of 2408	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2752	2408	cmd.exe	33
PID 2408 wrote to memory of 2752	2408	cmd.exe	33
PID 2408 wrote to memory of 2752	2408	cmd.exe	33
PID 2408 wrote to memory of 2752	2408	cmd.exe	33
PID 2952 wrote to memory of 1940	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	34
PID 2952 wrote to memory of 1940	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	34
PID 2952 wrote to memory of 1940	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	34
PID 2952 wrote to memory of 1940	2952	fe1765be1c029907e873e457bb271001_JaffaCakes118.exe	34
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 1940 wrote to memory of 2440	1940	explore1313.exe	35
PID 2440 wrote to memory of 484	2440	explore1313.exe	36
PID 2440 wrote to memory of 484	2440	explore1313.exe	36
PID 2440 wrote to memory of 484	2440	explore1313.exe	36
PID 2440 wrote to memory of 484	2440	explore1313.exe	36
PID 484 wrote to memory of 2340	484	cmd.exe	37
PID 484 wrote to memory of 2340	484	cmd.exe	37
PID 484 wrote to memory of 2340	484	cmd.exe	37
PID 484 wrote to memory of 2340	484	cmd.exe	37
PID 2440 wrote to memory of 820	2440	explore1313.exe	38
PID 2440 wrote to memory of 820	2440	explore1313.exe	38
PID 2440 wrote to memory of 820	2440	explore1313.exe	38
PID 2440 wrote to memory of 820	2440	explore1313.exe	38
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 820 wrote to memory of 1756	820	explore1313.exe	39
PID 1756 wrote to memory of 2392	1756	explore1313.exe	40
PID 1756 wrote to memory of 2392	1756	explore1313.exe	40
PID 1756 wrote to memory of 2392	1756	explore1313.exe	40
PID 1756 wrote to memory of 2392	1756	explore1313.exe	40
PID 2392 wrote to memory of 2704	2392	cmd.exe	41
PID 2392 wrote to memory of 2704	2392	cmd.exe	41
PID 2392 wrote to memory of 2704	2392	cmd.exe	41
PID 2392 wrote to memory of 2704	2392	cmd.exe	41
PID 1756 wrote to memory of 3036	1756	explore1313.exe	42
PID 1756 wrote to memory of 3036	1756	explore1313.exe	42
PID 1756 wrote to memory of 3036	1756	explore1313.exe	42
PID 1756 wrote to memory of 3036	1756	explore1313.exe	42
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 3036 wrote to memory of 660	3036	explore1313.exe	43
PID 660 wrote to memory of 2060	660	explore1313.exe	44
PID 660 wrote to memory of 2060	660	explore1313.exe	44
PID 660 wrote to memory of 2060	660	explore1313.exe	44
PID 660 wrote to memory of 2060	660	explore1313.exe	44

C:\Users\Admin\AppData\Local\Temp\fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe1765be1c029907e873e457bb271001_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe1765be1c029907e873e457bb271001_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2752
- - C:\Windows\SysWOW64\explore1313.exe
    C:\Windows\system32\explore1313.exe 556 "C:\Users\Admin\AppData\Local\Temp\fe1765be1c029907e873e457bb271001_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\explore1313.exe
      C:\Windows\SysWOW64\explore1313.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2340
    - - C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2704
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1656
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2164
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2388
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1044
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:852
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1536
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\system32\explore1313.exe 548 "C:\Windows\SysWOW64\explore1313.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\explore1313.exe
        
        C:\Windows\SysWOW64\explore1313.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\explore1313.exe

Filesize
177KB

MD5
fe1765be1c029907e873e457bb271001

SHA1
d67516e1fedc27a682a91ca0761ea68771e5ad6e

SHA256
e391f4c2dfa8e02e12a763d57554241966b81dc964cd6dd016c2788fe5873feb

SHA512
02709ae970bb218f937705cb0768f1a1ab79ac87d6b923345cb809aba460b2c36a284c1e471cfaafd8bd31ae9c9dc07b621875b98d8740660da55e1b11865ddc

Download Submit
memory/660-661-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/660-415-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/660-416-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/820-281-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/932-545-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/992-544-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/992-546-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/1756-286-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/1756-531-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/1756-285-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/1940-146-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2084-4-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2440-401-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2440-152-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2440-151-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2440-268-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2440-160-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2440-272-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2828-671-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2952-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-270-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-0-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-15-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-8-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-6-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-10-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-9-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2952-14-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-3-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-12-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/3036-411-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads