modiloader | 03f7203f86c9c9aab854507f705bc5a7313a250482ba0947aa5d9fc8940e5c98

Analysis

max time kernel
96s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
Size

1.2MB
MD5

63391f06b1b5871dda76f341c087d122
SHA1

2e04c2c76034993e1554f3ab3a2d06ad23d6421f
SHA256

03f7203f86c9c9aab854507f705bc5a7313a250482ba0947aa5d9fc8940e5c98
SHA512

e521c61498aee08926a1b27bb523650d03ee4fdf6048727f3b780061fa8c70b4bc63ba8dca1485822ea1fb80cc267b651ca01be6e786dcefa34a68e1e6205a68
SSDEEP

12288:Gur9aWZhHtLJgdcBtyOJD/tLVzDvb68gW7Vov7924+60v72AhAmKsTkaEEeHTcKq:GucW3tJnv8RRciwTVOH5xY+zkhdtAv

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4804-10-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	A.exe
408	Crypted1.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000c000000023b1b-4.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 54 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3420	PING.EXE
2028	PING.EXE
3276	PING.EXE
1172	PING.EXE
3244	PING.EXE
2016	PING.EXE
2768	PING.EXE
208	PING.EXE
2184	PING.EXE
1992	PING.EXE
668	PING.EXE
3360	PING.EXE
2072	PING.EXE
1692	PING.EXE
4668	PING.EXE
3472	PING.EXE
5040	PING.EXE
3892	PING.EXE
636	PING.EXE
1076	PING.EXE
4904	PING.EXE
1468	PING.EXE
5000	PING.EXE
4848	PING.EXE
64	PING.EXE
1160	PING.EXE
4124	PING.EXE
2552	PING.EXE
4440	PING.EXE
908	PING.EXE
3620	PING.EXE
1864	PING.EXE
1560	PING.EXE
2748	PING.EXE
1612	PING.EXE
3960	PING.EXE
4408	PING.EXE
4404	PING.EXE
2332	PING.EXE
3228	PING.EXE
3540	PING.EXE
1648	PING.EXE
232	PING.EXE
4180	PING.EXE
1664	PING.EXE
4104	PING.EXE
3660	PING.EXE
4092	PING.EXE
2368	PING.EXE
4608	PING.EXE
2444	PING.EXE
1416	PING.EXE
3564	PING.EXE
2500	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Runs ping.exe 1 TTPs 54 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE
2444	PING.EXE
3228	PING.EXE
3960	PING.EXE
3244	PING.EXE
3360	PING.EXE
1664	PING.EXE
2028	PING.EXE
4180	PING.EXE
64	PING.EXE
5040	PING.EXE
232	PING.EXE
3540	PING.EXE
908	PING.EXE
668	PING.EXE
4440	PING.EXE
1992	PING.EXE
1172	PING.EXE
1864	PING.EXE
4608	PING.EXE
2368	PING.EXE
3564	PING.EXE
1560	PING.EXE
2072	PING.EXE
4668	PING.EXE
3660	PING.EXE
3472	PING.EXE
1648	PING.EXE
1416	PING.EXE
4124	PING.EXE
4404	PING.EXE
4848	PING.EXE
2552	PING.EXE
1468	PING.EXE
3892	PING.EXE
3420	PING.EXE
1076	PING.EXE
1612	PING.EXE
4904	PING.EXE
2332	PING.EXE
636	PING.EXE
4104	PING.EXE
3620	PING.EXE
4408	PING.EXE
4092	PING.EXE
2016	PING.EXE
208	PING.EXE
2184	PING.EXE
2748	PING.EXE
1160	PING.EXE
2768	PING.EXE
3276	PING.EXE
2500	PING.EXE
1692	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	Crypted1.exe
Token: SeRestorePrivilege	4680	dw20.exe
Token: SeBackupPrivilege	4680	dw20.exe
Token: SeBackupPrivilege	4680	dw20.exe
Token: SeBackupPrivilege	4680	dw20.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2444	4804	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	82
PID 4804 wrote to memory of 2444	4804	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	82
PID 4804 wrote to memory of 2444	4804	JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe	82
PID 2444 wrote to memory of 3308	2444	A.exe	83
PID 2444 wrote to memory of 3308	2444	A.exe	83
PID 2444 wrote to memory of 3308	2444	A.exe	83
PID 2444 wrote to memory of 408	2444	A.exe	84
PID 2444 wrote to memory of 408	2444	A.exe	84
PID 2444 wrote to memory of 408	2444	A.exe	84
PID 408 wrote to memory of 4680	408	Crypted1.exe	86
PID 408 wrote to memory of 4680	408	Crypted1.exe	86
PID 408 wrote to memory of 4680	408	Crypted1.exe	86
PID 3308 wrote to memory of 2332	3308	cmd.exe	87
PID 3308 wrote to memory of 2332	3308	cmd.exe	87
PID 3308 wrote to memory of 2332	3308	cmd.exe	87
PID 3308 wrote to memory of 4180	3308	cmd.exe	88
PID 3308 wrote to memory of 4180	3308	cmd.exe	88
PID 3308 wrote to memory of 4180	3308	cmd.exe	88
PID 3308 wrote to memory of 4848	3308	cmd.exe	90
PID 3308 wrote to memory of 4848	3308	cmd.exe	90
PID 3308 wrote to memory of 4848	3308	cmd.exe	90
PID 3308 wrote to memory of 2072	3308	cmd.exe	91
PID 3308 wrote to memory of 2072	3308	cmd.exe	91
PID 3308 wrote to memory of 2072	3308	cmd.exe	91
PID 3308 wrote to memory of 2768	3308	cmd.exe	92
PID 3308 wrote to memory of 2768	3308	cmd.exe	92
PID 3308 wrote to memory of 2768	3308	cmd.exe	92
PID 3308 wrote to memory of 1692	3308	cmd.exe	93
PID 3308 wrote to memory of 1692	3308	cmd.exe	93
PID 3308 wrote to memory of 1692	3308	cmd.exe	93
PID 3308 wrote to memory of 3892	3308	cmd.exe	94
PID 3308 wrote to memory of 3892	3308	cmd.exe	94
PID 3308 wrote to memory of 3892	3308	cmd.exe	94
PID 3308 wrote to memory of 64	3308	cmd.exe	95
PID 3308 wrote to memory of 64	3308	cmd.exe	95
PID 3308 wrote to memory of 64	3308	cmd.exe	95
PID 3308 wrote to memory of 636	3308	cmd.exe	96
PID 3308 wrote to memory of 636	3308	cmd.exe	96
PID 3308 wrote to memory of 636	3308	cmd.exe	96
PID 3308 wrote to memory of 4668	3308	cmd.exe	97
PID 3308 wrote to memory of 4668	3308	cmd.exe	97
PID 3308 wrote to memory of 4668	3308	cmd.exe	97
PID 3308 wrote to memory of 1664	3308	cmd.exe	98
PID 3308 wrote to memory of 1664	3308	cmd.exe	98
PID 3308 wrote to memory of 1664	3308	cmd.exe	98
PID 3308 wrote to memory of 2184	3308	cmd.exe	99
PID 3308 wrote to memory of 2184	3308	cmd.exe	99
PID 3308 wrote to memory of 2184	3308	cmd.exe	99
PID 3308 wrote to memory of 1172	3308	cmd.exe	100
PID 3308 wrote to memory of 1172	3308	cmd.exe	100
PID 3308 wrote to memory of 1172	3308	cmd.exe	100
PID 3308 wrote to memory of 4104	3308	cmd.exe	101
PID 3308 wrote to memory of 4104	3308	cmd.exe	101
PID 3308 wrote to memory of 4104	3308	cmd.exe	101
PID 3308 wrote to memory of 3228	3308	cmd.exe	102
PID 3308 wrote to memory of 3228	3308	cmd.exe	102
PID 3308 wrote to memory of 3228	3308	cmd.exe	102
PID 3308 wrote to memory of 3420	3308	cmd.exe	103
PID 3308 wrote to memory of 3420	3308	cmd.exe	103
PID 3308 wrote to memory of 3420	3308	cmd.exe	103
PID 3308 wrote to memory of 1076	3308	cmd.exe	104
PID 3308 wrote to memory of 1076	3308	cmd.exe	104
PID 3308 wrote to memory of 1076	3308	cmd.exe	104
PID 3308 wrote to memory of 2748	3308	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63391f06b1b5871dda76f341c087d122.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\A.exe
  "C:\Users\Admin\AppData\Local\Temp\A.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp/MyIntrotool.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2332
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4180
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4848
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2072
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2768
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1692
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3892
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:64
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:636
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4668
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1664
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2184
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1172
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4104
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3228
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3420
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1076
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3660
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2368
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3564
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4124
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3540
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2552
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2028
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1864
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3960
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1612
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4904
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4608
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1560
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4092
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4404
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3472
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3276
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5000
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2444
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3244
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:908
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1648
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1992
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2016
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:668
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:232
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:208
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3360
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1416
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2500
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3620
- - C:\Users\Admin\AppData\Local\Temp\Crypted1.exe
    C:\Users\Admin\AppData\Local\Temp/Crypted1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 924
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
1.0MB

MD5
97e5a2bcad72705a86c697ad8c18f347

SHA1
cd3d2d8e273d1f5a82e34eef9254bea60e1b2f1a

SHA256
5f558f63b56bce832ead31e70b32fd91655db7329841a23b4e4f864de6fa2920

SHA512
3c57534c8eeb85734e1c4446edaae6d6e75c3c52a7ea8a46efafe0ea7df038d8ee68004a7f70bd5756aa80988be6f7db805dd29e35a258051fc7e341d06ee67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted1.exe

Filesize
249KB

MD5
66c31acd2f6286b1c0f6bccd06124771

SHA1
c4f45c1054d0e07a44c46cd54c043af25a526264

SHA256
4d00e89895eba5d2d6f429324d4ad76b85962f89ad4c8943dea172f8cdcf9fda

SHA512
3d2fb6b985a73f168339fa5133eb37ebbedfe05764598ccbb1aee9f23ed6243b89acd34414f23c6d1d4fc1a068ed1676e0e178b6bfb2a968cf242b95b938df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyIntrotool.bat

Filesize
19KB

MD5
dfc00c66daa8d07665c67fa029e48840

SHA1
99bad7ae34e362fc888cb5df11a297f4ec0e6085

SHA256
adefe6fb26784bf9965d24b23bd27f88c10a2942a751e8ef8f4bf5a961227f85

SHA512
f2241846f528f05a5587e178b990a7f1cc88f638af7f770d28c195ada72a3fa803cdebae4a759ea2af153601ef9389ed6434cf0141419a749af1114a67526dc2

Download Submit
memory/408-32-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-42-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-41-0x0000000077A10000-0x0000000077A11000-memory.dmp

Filesize
4KB

Download
memory/408-43-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-48-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-47-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-49-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-46-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-45-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-44-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/408-92-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-110-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-109-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-108-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-107-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-106-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-105-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-104-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-103-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-102-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-101-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-100-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-99-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-98-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-97-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-96-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-95-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-94-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-93-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-91-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-90-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-89-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-88-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-87-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-86-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-84-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-83-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-82-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-81-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-80-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-79-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-78-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-76-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-74-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-75-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-73-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-72-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-71-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-70-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-69-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-68-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-67-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-66-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-65-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-64-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-63-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-61-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-60-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-59-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-58-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-56-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-57-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-55-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-53-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-52-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-51-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-85-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-77-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-62-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-54-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/408-159-0x00000000779F0000-0x0000000077AE0000-memory.dmp

Filesize
960KB

Download
memory/4804-10-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads