modiloader | 03f7203f86c9c9aab854507f705bc5a7313a250482ba0947aa5d9fc8940e5c98

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
Size

1.2MB
MD5

63391f06b1b5871dda76f341c087d122
SHA1

2e04c2c76034993e1554f3ab3a2d06ad23d6421f
SHA256

03f7203f86c9c9aab854507f705bc5a7313a250482ba0947aa5d9fc8940e5c98
SHA512

e521c61498aee08926a1b27bb523650d03ee4fdf6048727f3b780061fa8c70b4bc63ba8dca1485822ea1fb80cc267b651ca01be6e786dcefa34a68e1e6205a68
SSDEEP

12288:Gur9aWZhHtLJgdcBtyOJD/tLVzDvb68gW7Vov7924+60v72AhAmKsTkaEEeHTcKq:GucW3tJnv8RRciwTVOH5xY+zkhdtAv

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2372-6-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2712	A.exe
2096	Crypted1.exe

Loads dropped DLL 3 IoCs

pid	Process
2372	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
2712	A.exe
1436	dw20.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 54 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1424	PING.EXE
1224	PING.EXE
968	PING.EXE
536	PING.EXE
3032	PING.EXE
2876	PING.EXE
2816	PING.EXE
2904	PING.EXE
2816	PING.EXE
2836	PING.EXE
2404	PING.EXE
1464	PING.EXE
2952	PING.EXE
2640	PING.EXE
888	PING.EXE
1956	PING.EXE
580	PING.EXE
2544	PING.EXE
2484	PING.EXE
2900	PING.EXE
2976	PING.EXE
2636	PING.EXE
2476	PING.EXE
2340	PING.EXE
1704	PING.EXE
2596	PING.EXE
1432	PING.EXE
2700	PING.EXE
2580	PING.EXE
2748	PING.EXE
1200	PING.EXE
1552	PING.EXE
2448	PING.EXE
2804	PING.EXE
2824	PING.EXE
2156	PING.EXE
2184	PING.EXE
1484	PING.EXE
680	PING.EXE
2928	PING.EXE
2256	PING.EXE
1136	PING.EXE
992	PING.EXE
1516	PING.EXE
2828	PING.EXE
2468	PING.EXE
2864	PING.EXE
2236	PING.EXE
2992	PING.EXE
1864	PING.EXE
300	PING.EXE
2656	PING.EXE
2664	PING.EXE
3008	PING.EXE

Runs ping.exe 1 TTPs 54 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
2544	PING.EXE
3008	PING.EXE
2904	PING.EXE
1136	PING.EXE
1224	PING.EXE
2816	PING.EXE
2664	PING.EXE
580	PING.EXE
2156	PING.EXE
2340	PING.EXE
2828	PING.EXE
2468	PING.EXE
888	PING.EXE
2656	PING.EXE
2596	PING.EXE
1552	PING.EXE
2816	PING.EXE
3032	PING.EXE
2952	PING.EXE
2448	PING.EXE
1200	PING.EXE
2580	PING.EXE
2476	PING.EXE
2184	PING.EXE
2636	PING.EXE
1424	PING.EXE
2864	PING.EXE
2928	PING.EXE
2640	PING.EXE
2836	PING.EXE
1704	PING.EXE
2900	PING.EXE
1864	PING.EXE
2976	PING.EXE
2876	PING.EXE
300	PING.EXE
1432	PING.EXE
2804	PING.EXE
1484	PING.EXE
2748	PING.EXE
536	PING.EXE
2700	PING.EXE
2256	PING.EXE
2992	PING.EXE
2824	PING.EXE
1956	PING.EXE
992	PING.EXE
1464	PING.EXE
1516	PING.EXE
2236	PING.EXE
2484	PING.EXE
968	PING.EXE
680	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	Crypted1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2712	2372	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	30
PID 2372 wrote to memory of 2712	2372	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	30
PID 2372 wrote to memory of 2712	2372	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	30
PID 2372 wrote to memory of 2712	2372	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	30
PID 2712 wrote to memory of 2368	2712	A.exe	31
PID 2712 wrote to memory of 2368	2712	A.exe	31
PID 2712 wrote to memory of 2368	2712	A.exe	31
PID 2712 wrote to memory of 2368	2712	A.exe	31
PID 2712 wrote to memory of 2096	2712	A.exe	32
PID 2712 wrote to memory of 2096	2712	A.exe	32
PID 2712 wrote to memory of 2096	2712	A.exe	32
PID 2712 wrote to memory of 2096	2712	A.exe	32
PID 2368 wrote to memory of 2476	2368	cmd.exe	34
PID 2368 wrote to memory of 2476	2368	cmd.exe	34
PID 2368 wrote to memory of 2476	2368	cmd.exe	34
PID 2368 wrote to memory of 2476	2368	cmd.exe	34
PID 2368 wrote to memory of 2864	2368	cmd.exe	35
PID 2368 wrote to memory of 2864	2368	cmd.exe	35
PID 2368 wrote to memory of 2864	2368	cmd.exe	35
PID 2368 wrote to memory of 2864	2368	cmd.exe	35
PID 2368 wrote to memory of 2748	2368	cmd.exe	36
PID 2368 wrote to memory of 2748	2368	cmd.exe	36
PID 2368 wrote to memory of 2748	2368	cmd.exe	36
PID 2368 wrote to memory of 2748	2368	cmd.exe	36
PID 2368 wrote to memory of 2876	2368	cmd.exe	37
PID 2368 wrote to memory of 2876	2368	cmd.exe	37
PID 2368 wrote to memory of 2876	2368	cmd.exe	37
PID 2368 wrote to memory of 2876	2368	cmd.exe	37
PID 2368 wrote to memory of 2976	2368	cmd.exe	38
PID 2368 wrote to memory of 2976	2368	cmd.exe	38
PID 2368 wrote to memory of 2976	2368	cmd.exe	38
PID 2368 wrote to memory of 2976	2368	cmd.exe	38
PID 2368 wrote to memory of 2816	2368	cmd.exe	39
PID 2368 wrote to memory of 2816	2368	cmd.exe	39
PID 2368 wrote to memory of 2816	2368	cmd.exe	39
PID 2368 wrote to memory of 2816	2368	cmd.exe	39
PID 2096 wrote to memory of 1436	2096	Crypted1.exe	40
PID 2096 wrote to memory of 1436	2096	Crypted1.exe	40
PID 2096 wrote to memory of 1436	2096	Crypted1.exe	40
PID 2096 wrote to memory of 1436	2096	Crypted1.exe	40
PID 2368 wrote to memory of 2156	2368	cmd.exe	41
PID 2368 wrote to memory of 2156	2368	cmd.exe	41
PID 2368 wrote to memory of 2156	2368	cmd.exe	41
PID 2368 wrote to memory of 2156	2368	cmd.exe	41
PID 2368 wrote to memory of 1224	2368	cmd.exe	42
PID 2368 wrote to memory of 1224	2368	cmd.exe	42
PID 2368 wrote to memory of 1224	2368	cmd.exe	42
PID 2368 wrote to memory of 1224	2368	cmd.exe	42
PID 2368 wrote to memory of 1864	2368	cmd.exe	43
PID 2368 wrote to memory of 1864	2368	cmd.exe	43
PID 2368 wrote to memory of 1864	2368	cmd.exe	43
PID 2368 wrote to memory of 1864	2368	cmd.exe	43
PID 2368 wrote to memory of 536	2368	cmd.exe	44
PID 2368 wrote to memory of 536	2368	cmd.exe	44
PID 2368 wrote to memory of 536	2368	cmd.exe	44
PID 2368 wrote to memory of 536	2368	cmd.exe	44
PID 2368 wrote to memory of 2596	2368	cmd.exe	45
PID 2368 wrote to memory of 2596	2368	cmd.exe	45
PID 2368 wrote to memory of 2596	2368	cmd.exe	45
PID 2368 wrote to memory of 2596	2368	cmd.exe	45
PID 2368 wrote to memory of 1424	2368	cmd.exe	46
PID 2368 wrote to memory of 1424	2368	cmd.exe	46
PID 2368 wrote to memory of 1424	2368	cmd.exe	46
PID 2368 wrote to memory of 1424	2368	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\A.exe
  "C:\Users\Admin\AppData\Local\Temp\A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp/MyIntrotool.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2476
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2864
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2876
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2976
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2816
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2156
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1224
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1864
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:536
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2596
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1424
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1464
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:680
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1136
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:580
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:968
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2184
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2904
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1516
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3032
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1704
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:992
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2404
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2236
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2580
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2544
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1200
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2340
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:300
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2484
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2448
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3008
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2836
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2824
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2900
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2664
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2656
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2828
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2992
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1552
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2952
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2256
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1432
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2804
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1484
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2636
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2816
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:888
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2700
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2468
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Crypted1.exe
    C:\Users\Admin\AppData\Local\Temp/Crypted1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 520
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted1.exe

Filesize
249KB

MD5
66c31acd2f6286b1c0f6bccd06124771

SHA1
c4f45c1054d0e07a44c46cd54c043af25a526264

SHA256
4d00e89895eba5d2d6f429324d4ad76b85962f89ad4c8943dea172f8cdcf9fda

SHA512
3d2fb6b985a73f168339fa5133eb37ebbedfe05764598ccbb1aee9f23ed6243b89acd34414f23c6d1d4fc1a068ed1676e0e178b6bfb2a968cf242b95b938df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyIntrotool.bat

Filesize
19KB

MD5
dfc00c66daa8d07665c67fa029e48840

SHA1
99bad7ae34e362fc888cb5df11a297f4ec0e6085

SHA256
adefe6fb26784bf9965d24b23bd27f88c10a2942a751e8ef8f4bf5a961227f85

SHA512
f2241846f528f05a5587e178b990a7f1cc88f638af7f770d28c195ada72a3fa803cdebae4a759ea2af153601ef9389ed6434cf0141419a749af1114a67526dc2

Download Submit
\Users\Admin\AppData\Local\Temp\A.exe

Filesize
1.0MB

MD5
97e5a2bcad72705a86c697ad8c18f347

SHA1
cd3d2d8e273d1f5a82e34eef9254bea60e1b2f1a

SHA256
5f558f63b56bce832ead31e70b32fd91655db7329841a23b4e4f864de6fa2920

SHA512
3c57534c8eeb85734e1c4446edaae6d6e75c3c52a7ea8a46efafe0ea7df038d8ee68004a7f70bd5756aa80988be6f7db805dd29e35a258051fc7e341d06ee67c

Download Submit
memory/2096-43-0x0000000074C04000-0x0000000074C05000-memory.dmp

Filesize
4KB

Download
memory/2096-34-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-45-0x0000000074BF0000-0x0000000074D00000-memory.dmp

Filesize
1.1MB

Download
memory/2096-49-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-102-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-101-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-98-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-97-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-96-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-95-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-93-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-92-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-91-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-90-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-89-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-88-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-87-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-86-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-85-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-82-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-81-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-80-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-79-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-76-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-75-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-74-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-73-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-72-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-68-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-67-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-66-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-64-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-63-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-62-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-61-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-59-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-58-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-56-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-55-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-54-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-53-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-52-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-51-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-106-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-104-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-103-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-99-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-100-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-94-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-84-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-83-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-77-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-78-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-71-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-70-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-69-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-65-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-60-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-57-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-50-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-48-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-47-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-46-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/2096-150-0x0000000074BF0000-0x0000000074D00000-memory.dmp

Filesize
1.1MB

Download
memory/2372-6-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download