modiloader | 4921494fbab192c1d202585f16ef5cd46628ce8175c967d65a6dd1c98bf37b07

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
Size

2.5MB
MD5

97e8e9dace053f080fefae2c7998c42d
SHA1

157d70f91958686aa0c5aa97eb65e524b3e0db82
SHA256

4921494fbab192c1d202585f16ef5cd46628ce8175c967d65a6dd1c98bf37b07
SHA512

134f9891dea763f4dac798043e39d18b7bd7e851991d993f1702f9ce3973b52362d2273de87cfda8d974628991cd8d60a238c9a7e9e017d70e0fd3b9c120345d
SSDEEP

49152:h/jv6c3CLcIKEkFnJVYAOVUdYmrJh5IzdzQCfV4+81G:t29pWc2BjIvu+iG

Score

10^/10

modiloader defense_evasion discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000240d6-6.dat	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000240e8-84.dat	acprotect
behavioral2/files/0x00070000000240e6-78.dat	acprotect
behavioral2/files/0x00070000000240e4-77.dat	acprotect
behavioral2/files/0x00070000000240e3-72.dat	acprotect
behavioral2/files/0x00070000000240e0-57.dat	acprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	CTFMOM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	CTFM0M.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	CIFN0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	CTFM0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	CTFN0M.exe

Executes dropped EXE 9 IoCs

pid	Process
3572	1.exe
2432	csolzdmz0602.exe
2132	CTFNOM.exe
624	CTFN0M.exe
220	CTFMOM.exe
348	CTFM0M.exe
232	CIFN0N.exe
3784	csolzdmz0602.exe
4528	CTFM0N.exe

Loads dropped DLL 14 IoCs

pid	Process
624	CTFN0M.exe
348	CTFM0M.exe
232	CIFN0N.exe
4528	CTFM0N.exe
220	CTFMOM.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CIFN0N.exe	csolzdmz0602.exe
File created	C:\Windows\SysWOW64\csolzdmz0602.exe	csolzdmz0602.exe
File opened for modification	C:\Windows\SysWOW64\Qh6xX7VN48sVPnK.dll	CTFN0M.exe
File opened for modification	C:\Windows\SysWOW64\qzp3jTZCSfSh.dll	CIFN0N.exe
File created	C:\Windows\SysWOW64\CTFN0M.exe	csolzdmz0602.exe
File opened for modification	C:\Windows\SysWOW64\xg4hAPNygs29.dll	CTFM0N.exe
File opened for modification	C:\Windows\SysWOW64\JPccCJnKygDdp3.dll	CTFMOM.exe
File created	C:\Windows\SysWOW64\CTFNOM.exe	csolzdmz0602.exe
File created	C:\Windows\SysWOW64\CTFMOM.exe	csolzdmz0602.exe
File created	C:\Windows\SysWOW64\CTFM0M.exe	csolzdmz0602.exe
File created	C:\Windows\SysWOW64\CTFM0N.exe	csolzdmz0602.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5040-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x00070000000240d8-24.dat	upx
behavioral2/files/0x00070000000240da-38.dat	upx
behavioral2/memory/624-61-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/4528-60-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x00070000000240e8-84.dat	upx
behavioral2/memory/220-90-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/4528-89-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/232-88-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/348-87-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/files/0x00070000000240e6-78.dat	upx
behavioral2/files/0x00070000000240e4-77.dat	upx
behavioral2/files/0x00070000000240e3-72.dat	upx
behavioral2/files/0x00070000000240e0-57.dat	upx
behavioral2/files/0x00070000000240dc-52.dat	upx
behavioral2/memory/232-48-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/348-47-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/220-46-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/624-45-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x00070000000240dd-43.dat	upx
behavioral2/files/0x00070000000240db-40.dat	upx
behavioral2/files/0x00070000000240d9-37.dat	upx
behavioral2/memory/2132-35-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/2132-92-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/3784-113-0x0000000005530000-0x0000000005542000-memory.dmp	upx
behavioral2/memory/3784-112-0x0000000005510000-0x0000000005522000-memory.dmp	upx
behavioral2/memory/3784-108-0x0000000005510000-0x0000000005522000-memory.dmp	upx
behavioral2/memory/3784-107-0x00000000054F0000-0x0000000005502000-memory.dmp	upx
behavioral2/memory/3784-103-0x00000000054F0000-0x0000000005502000-memory.dmp	upx
behavioral2/memory/3784-102-0x00000000054D0000-0x00000000054E1000-memory.dmp	upx
behavioral2/memory/3784-98-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/220-114-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/348-117-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/220-120-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/232-123-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/624-129-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/4528-126-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\CcKKcpwJmND4.Ttf	CTFN0M.exe
File opened for modification	C:\Windows\fOnts\qWskzsQA6.Ttf	CIFN0N.exe
File opened for modification	C:\Windows\fOnts\CSzZ3gVtf.Ttf	CTFM0M.exe
File opened for modification	C:\Windows\fonts\zEfE48cw9EmcFaR.fon	CTFM0M.exe
File opened for modification	C:\Windows\fOnts\K7XaTBMWp8TPrYgw.Ttf	CTFM0N.exe
File opened for modification	C:\Windows\fOnts\uawyv9Pr.Ttf	CTFMOM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1320	2132	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTFNOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csolzdmz0602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csolzdmz0602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CIFN0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTFMOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTFN0M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTFM0M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTFM0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32\ThreadingModel = "Apartment"	CTFN0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32	CIFN0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	CIFN0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	CIFN0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	CTFMOM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32	CTFM0M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ = "C:\\Windows\\fonts\\zEfE48cw9EmcFaR.fon"	CTFM0M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32\ = "C:\\Windows\\SysWow64\\xg4hAPNygs29.dll"	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}	CTFMOM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	CTFN0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}	CTFN0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32	CTFN0M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32\ = "C:\\Windows\\SysWow64\\Qh6xX7VN48sVPnK.dll"	CTFN0M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ThreadingModel = "Apartment"	CTFM0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32	CIFN0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32	CTFMOM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32	CTFMOM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32\ThreadingModel = "Apartment"	CTFMOM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	CTFM0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}	CTFM0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32\ = "C:\\Windows\\SysWow64\\JPccCJnKygDdp3.dll"	CTFMOM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	CTFN0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32	CTFN0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32	CTFM0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}	CIFN0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32\ = "C:\\Windows\\SysWow64\\qzp3jTZCSfSh.dll"	CIFN0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32\ThreadingModel = "Apartment"	CIFN0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32\ThreadingModel = "Apartment"	CTFM0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	CTFM0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}	CTFM0M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	CTFMOM.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
624	CTFN0M.exe
624	CTFN0M.exe
624	CTFN0M.exe
624	CTFN0M.exe
348	CTFM0M.exe
4528	CTFM0N.exe
348	CTFM0M.exe
4528	CTFM0N.exe
232	CIFN0N.exe
232	CIFN0N.exe
220	CTFMOM.exe
220	CTFMOM.exe
348	CTFM0M.exe
348	CTFM0M.exe
4528	CTFM0N.exe
4528	CTFM0N.exe
232	CIFN0N.exe
232	CIFN0N.exe
220	CTFMOM.exe
220	CTFMOM.exe
348	CTFM0M.exe
348	CTFM0M.exe
232	CIFN0N.exe
232	CIFN0N.exe
624	CTFN0M.exe
624	CTFN0M.exe
4528	CTFM0N.exe
4528	CTFM0N.exe
220	CTFMOM.exe
220	CTFMOM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	624	CTFN0M.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	4528	CTFM0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	232	CIFN0N.exe
Token: SeDebugPrivilege	4528	CTFM0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	4528	CTFM0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	4528	CTFM0N.exe
Token: SeDebugPrivilege	232	CIFN0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	4528	CTFM0N.exe
Token: SeDebugPrivilege	232	CIFN0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	232	CIFN0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe
Token: SeDebugPrivilege	232	CIFN0N.exe
Token: SeDebugPrivilege	348	CTFM0M.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2432	csolzdmz0602.exe
2432	csolzdmz0602.exe
624	CTFN0M.exe
348	CTFM0M.exe
232	CIFN0N.exe
4528	CTFM0N.exe
220	CTFMOM.exe
3784	csolzdmz0602.exe
3784	csolzdmz0602.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3572	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	86
PID 5040 wrote to memory of 3572	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	86
PID 5040 wrote to memory of 3572	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	86
PID 5040 wrote to memory of 2432	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	87
PID 5040 wrote to memory of 2432	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	87
PID 5040 wrote to memory of 2432	5040	JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe	87
PID 2432 wrote to memory of 2132	2432	csolzdmz0602.exe	88
PID 2432 wrote to memory of 2132	2432	csolzdmz0602.exe	88
PID 2432 wrote to memory of 2132	2432	csolzdmz0602.exe	88
PID 2432 wrote to memory of 624	2432	csolzdmz0602.exe	89
PID 2432 wrote to memory of 624	2432	csolzdmz0602.exe	89
PID 2432 wrote to memory of 624	2432	csolzdmz0602.exe	89
PID 2432 wrote to memory of 220	2432	csolzdmz0602.exe	90
PID 2432 wrote to memory of 220	2432	csolzdmz0602.exe	90
PID 2432 wrote to memory of 220	2432	csolzdmz0602.exe	90
PID 2432 wrote to memory of 348	2432	csolzdmz0602.exe	91
PID 2432 wrote to memory of 348	2432	csolzdmz0602.exe	91
PID 2432 wrote to memory of 348	2432	csolzdmz0602.exe	91
PID 2432 wrote to memory of 4528	2432	csolzdmz0602.exe	92
PID 2432 wrote to memory of 4528	2432	csolzdmz0602.exe	92
PID 2432 wrote to memory of 4528	2432	csolzdmz0602.exe	92
PID 2432 wrote to memory of 232	2432	csolzdmz0602.exe	93
PID 2432 wrote to memory of 232	2432	csolzdmz0602.exe	93
PID 2432 wrote to memory of 232	2432	csolzdmz0602.exe	93
PID 2432 wrote to memory of 3784	2432	csolzdmz0602.exe	94
PID 2432 wrote to memory of 3784	2432	csolzdmz0602.exe	94
PID 2432 wrote to memory of 3784	2432	csolzdmz0602.exe	94
PID 220 wrote to memory of 2952	220	CTFMOM.exe	104
PID 348 wrote to memory of 3656	348	CTFM0M.exe	105
PID 220 wrote to memory of 2952	220	CTFMOM.exe	104
PID 348 wrote to memory of 3656	348	CTFM0M.exe	105
PID 220 wrote to memory of 2952	220	CTFMOM.exe	104
PID 348 wrote to memory of 3656	348	CTFM0M.exe	105
PID 232 wrote to memory of 4480	232	CIFN0N.exe	108
PID 232 wrote to memory of 4480	232	CIFN0N.exe	108
PID 232 wrote to memory of 4480	232	CIFN0N.exe	108
PID 4528 wrote to memory of 4716	4528	CTFM0N.exe	109
PID 4528 wrote to memory of 4716	4528	CTFM0N.exe	109
PID 4528 wrote to memory of 4716	4528	CTFM0N.exe	109
PID 624 wrote to memory of 1604	624	CTFN0M.exe	112
PID 624 wrote to memory of 1604	624	CTFN0M.exe	112
PID 624 wrote to memory of 1604	624	CTFN0M.exe	112

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\Temp\csolzdmz0602.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\csolzdmz0602.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\CTFNOM.exe
    "C:\Windows\system32\CTFNOM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 312
      4⤵
      Program crash
      PID:1320
- - C:\Windows\SysWOW64\CTFN0M.exe
    "C:\Windows\system32\CTFN0M.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFN0M.exe >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:1604
- - C:\Windows\SysWOW64\CTFMOM.exe
    "C:\Windows\system32\CTFMOM.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFMOM.exe >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\SysWOW64\CTFM0M.exe
    "C:\Windows\system32\CTFM0M.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFM0M.exe >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
- - C:\Windows\SysWOW64\CTFM0N.exe
    "C:\Windows\system32\CTFM0N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFM0N.exe >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
- - C:\Windows\SysWOW64\CIFN0N.exe
    "C:\Windows\system32\CIFN0N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CIFN0N.exe >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:4480
- - C:\Windows\SysWOW64\csolzdmz0602.exe
    "C:\Windows\system32\csolzdmz0602.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2132 -ip 2132
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\1.exe

Filesize
673KB

MD5
3fa55dd4cdfea45cf39db40311d634c9

SHA1
38dcc3328d58ca9055c7f9201f71a9164bbc9f66

SHA256
182e31f4069d482ee5923d8eb6aa62989f9f8cc6755ef05ec6c82398e509affb

SHA512
cc9a39b9e0eb83c39a338d2dbf862768bde1ff67c0127f2e8cfd83e4a00f935a1f3ca6337042f680bb653922e6ae12bb89d9499a3eca65886ad4a4e0f39bd6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\csolzdmz0602.exe

Filesize
2.2MB

MD5
8d2b0070e22e2a0296f9d506522d701a

SHA1
3120b4fc1cad0da0f978e90c7d630be9e4e36400

SHA256
22ec9cb8d3d987dbf29f4e6a037ab8dcd46e653daac3e0c64f73626301b2b6ee

SHA512
5f907d7039321887c1bec8363c80402cbcf6e70b4d1c7989d7805e49c22ea72d19fc53635a666a2c0616d7e506fc7cbddd75a9d215dba1f44a410b4c7171352a

Download Submit
C:\Windows\Fonts\zEfE48cw9EmcFaR.fon

Filesize
20KB

MD5
05b91e614ef43f145efc2997b2b1af39

SHA1
27c8a6d77874d317d36623c09b6bc60d3e9f4221

SHA256
87c24d5ae3ab21740bd87485982e1b526c006669d61f8cac3a5b562ab59f7f19

SHA512
380886d532b31bed113480745d33e3207b035df5517f667f391e4807717ca62ced756c542628e609ba5d9aea393244723a3d7e1230d55cb3a4964c1a965559eb

Download Submit
C:\Windows\SysWOW64\CIFN0N.exe

Filesize
27KB

MD5
5a2d423664f3a1a89aad7b9cc55eeb85

SHA1
8c5a43e179ecb381f562df9a9ba68db81a325888

SHA256
4ab89f4926d59bb1ead6ecbe6242d607e4cbf547646af86ab7c3404429be4c2e

SHA512
942576897f6e0436b34bee31adfdb3af1da84645e7bb26af02d82a7a95081e328a7cbdce4fbaa2b953cb3f0a999a8d4c6d94c3ae7b776412a52a4ed32c5d8077

Download Submit
C:\Windows\SysWOW64\CTFM0M.exe

Filesize
26KB

MD5
0c43996f86418385658a10579166bf82

SHA1
f5160bb14e1e72b801706425d281041045450833

SHA256
a4185fb096a3ce67b1f5c8e2137df19f33d8cbffb337d587ba1eacc316fa8279

SHA512
2b75f320be629d60acfd9edc1e2f59b1e645f65a366648d54a71c897b2342bc050ef732599c0ccce1f8e7d7a476899451fd3b8c113a4ef58df98d8df4bceccc1

Download Submit
C:\Windows\SysWOW64\CTFM0N.exe

Filesize
23KB

MD5
102f44e4df328a8a1326a115a604275e

SHA1
97c90ee748a7f805ac386c36d3893376f10d7c1c

SHA256
56da6a991fd4cc55778f133985870be054c20bf7586b005bfa0720824d4b0762

SHA512
3b2eb105f7c0d0f63929e820358a2656c92eb19d38e4425e5237c329f617325efc50d1384ec7fa54dbe716ca6c79c2b37e448129479ead641ba10dac95bfeaaa

Download Submit
C:\Windows\SysWOW64\CTFMOM.exe

Filesize
25KB

MD5
ec7d978d43f112ce58bd5e43ff942a50

SHA1
f9686692015bdaf59905ad9696bd760ced23ba69

SHA256
8f813edfb2a29d0cd467e1e635cf02db75503d2761fc0796e261b5e61191e03b

SHA512
79be954b9f836be049d083688cc0120c5232d85ea4c59dd4461c33011631584efb3914ede7cee2616569bb48ce486a8cdbf6529711c0bdf42ac24e08e5b95f4c

Download Submit
C:\Windows\SysWOW64\CTFN0M.exe

Filesize
27KB

MD5
c00d61797214ee2c62bd6044409029dc

SHA1
a67e9c4cd342293f41eda15e746c699e572c53e0

SHA256
13dca89434b9a0c00d2e4f8fe82e99ecfbed82830c96f5f9e9018786f367d499

SHA512
129b2f3de52c52e99a306a5126375291d93b54d1ba27485c66d7d513f269866b719fd503299f8511d26bd124fb4e889cf8aebcd0b0d9adc5bd831e26bcaf154f

Download Submit
C:\Windows\SysWOW64\CTFNOM.exe

Filesize
15KB

MD5
ddd019ffb9e31ff03cc7339bb543eb4f

SHA1
6c6c6d198fe8154e5962286059c6a200ad54f0b4

SHA256
fe4d316b4a2d8733152518b0533f6987b05819cdce6157b6b9355ea80637110a

SHA512
a2d775459b05fc8f14fdb5ef867e7c8bb0b07e21536b7b55d26531e8c03caf5d7fe9fab5ed082fb14ee6b7dae935186c9bc37d9d7de7b8bc91ff9583c64055f4

Download Submit
C:\Windows\SysWOW64\JPccCJnKygDdp3.dll

Filesize
18KB

MD5
6b64c135f5f03d2c7d178ce6a7831981

SHA1
e1fcde879e515824b458b01d452312d2c41f6be4

SHA256
94e8c58b90e10aace4573e2fbc0f7f3b9e441eef96bebe4a702491bbfb10caa4

SHA512
8686227861e9ac6d9010202ed93c0b61356022c11c3e4fd85fc45cda5ee967d93ee1e6e5facfe15d433f6fb831ce8b984c822f82f6bb9543bff692efb812c18e

Download Submit
C:\Windows\SysWOW64\Qh6xX7VN48sVPnK.dll

Filesize
21KB

MD5
520722426e27cfe4aa089a17de31574e

SHA1
5da29131e4e832629a15796606c81f44a2c014b2

SHA256
0b75704d8f5998e8ec6efcb43c33413f85cbba954a215552198986ee7abdf803

SHA512
99df881685bcd5b1bbd1028203257103797098fbebf6dd4eb45ada2f9793f542ab13908757ae672bd0aba1a5c8115af4624965fb57904282f27030bdaba6649c

Download Submit
C:\Windows\SysWOW64\csolzdmz0602.exe

Filesize
2.0MB

MD5
90ef94722bbeb371d8d4fcce820923d6

SHA1
c2b90b77fd2673bb4e194c2c7c690675357e3e88

SHA256
2916d95150a2b576e786ab3b31ab943b00e44743dda58dac147cb7881d6def66

SHA512
34b4fcc3c331c6e983f7184c5c65a4136b33fc111559bbe5ed2d3f4245a7c9a08ff8381f6b60ec8a9a5f5f8c50e1e4847da07419f1ebe5b1554eec6b6f538059

Download Submit
C:\Windows\SysWOW64\qzp3jTZCSfSh.dll

Filesize
220KB

MD5
d54f9204d02f0e5335239284df3da4ac

SHA1
e8f32614d2233e8b89dfb336dbcaadc98720a757

SHA256
3aa1c2f52bc7e6567c538b11a855282e7961f116a46ef1a8bf9750e46e88174e

SHA512
68a9dcb990ef87a5de0fe86861755ff7d07e331a9bb1e84761c37a5c83f1f741000309a6082631a0e751ba66f2cecfad305b463f93d67d40e415af6289b07fba

Download Submit
C:\Windows\SysWOW64\xg4hAPNygs29.dll

Filesize
17KB

MD5
c50a964eeabcc34352a52ac0b2fecabc

SHA1
cd63c3094552bf7d121d7d5806d57d2806c2d8b5

SHA256
d6a497acdd1c490e1afea5064aeaaddf64e128c9e7daa3078084f415d037f818

SHA512
85fa9ab711199f2e5db72df43db984cdb70630d01bbaa33e2383c2835cf7eb88ae7df760b204d1bb911caabdcc16f7d0f30bf48c1b86cc1f029e5f930e27dfe5

Download Submit
memory/220-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/220-90-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/220-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/220-120-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/232-88-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/232-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/232-123-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/348-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/348-87-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/348-117-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/624-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/624-129-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/624-61-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2132-92-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2132-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3784-98-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3784-108-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/3784-107-0x00000000054F0000-0x0000000005502000-memory.dmp

Filesize
72KB

Download
memory/3784-103-0x00000000054F0000-0x0000000005502000-memory.dmp

Filesize
72KB

Download
memory/3784-102-0x00000000054D0000-0x00000000054E1000-memory.dmp

Filesize
68KB

Download
memory/3784-113-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/3784-112-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/3784-130-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4528-89-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4528-126-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/5040-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5040-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download