modiloader | 061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
Size

1.6MB
MD5

ca6df1327b0ff637140b268c4bfe1b72
SHA1

13c488fae638721a5485cfcd196d2b9e80c53cfd
SHA256

061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
SHA512

46247f611b655ed49255b678b350cf26eaa6062f5950662403ee0d4fb2aac632e6f4d4142843b1b582cb7782008add566458c1953835e84cc89833408301b4a2
SSDEEP

24576:OkCIwKMTJndSh1pBODgqDx/u09m/FDwxXbdnA06Lsdb6Ul2:OkCzg0HD3TWsdb6U

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/3680-2-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-6-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-7-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-23-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-51-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-50-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-48-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-46-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-44-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-43-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-40-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-39-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-38-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-37-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-36-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-34-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-33-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-32-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-30-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-29-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-28-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-26-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-53-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-24-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-49-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-22-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-47-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-21-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-45-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-20-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-42-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-41-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-19-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-65-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-64-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-63-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-62-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-61-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-60-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-59-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-58-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-57-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-56-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-54-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-55-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-52-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-18-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-17-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-35-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-16-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-15-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-31-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-14-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-13-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-27-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-12-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-25-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-11-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-10-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-9-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-8-0x0000000002A30000-0x0000000003A30000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Fzmabkxq.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 8 IoCs

pid	Process
4404	wsp.exe
2852	wsp.exe
5032	wsp.exe
2508	Fzmabkxq.PIF
1140	wsp.exe
3104	wsp.exe
1956	wsp.exe
4844	Fzmabkxq.PIF

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsp-KG6IRP = "\"C:\\ProgramData\\WSP\\wsp.exe\""	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsp-KG6IRP = "\"C:\\ProgramData\\WSP\\wsp.exe\""	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsp-KG6IRP = "\"C:\\ProgramData\\WSP\\wsp.exe\""	Fzmabkxq.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsp-KG6IRP = "\"C:\\ProgramData\\WSP\\wsp.exe\""	Fzmabkxq.PIF

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
64	4404	WerFault.exe	110
2292	2852	WerFault.exe	111
3380	5032	WerFault.exe	112
1808	1956	WerFault.exe	139
2072	3104	WerFault.exe	138
468	1140	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fzmabkxq.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fzmabkxq.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3956	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2348	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	96
PID 3680 wrote to memory of 2348	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	96
PID 3680 wrote to memory of 2348	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	96
PID 3680 wrote to memory of 1712	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	97
PID 3680 wrote to memory of 1712	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	97
PID 3680 wrote to memory of 1712	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	97
PID 3680 wrote to memory of 3800	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	100
PID 3680 wrote to memory of 3800	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	100
PID 3680 wrote to memory of 3800	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	100
PID 3800 wrote to memory of 3956	3800	cmd.exe	104
PID 3800 wrote to memory of 3956	3800	cmd.exe	104
PID 3800 wrote to memory of 3956	3800	cmd.exe	104
PID 3680 wrote to memory of 4404	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	110
PID 3680 wrote to memory of 4404	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	110
PID 3680 wrote to memory of 4404	3680	TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe	110
PID 1288 wrote to memory of 2852	1288	cmd.exe	111
PID 1288 wrote to memory of 2852	1288	cmd.exe	111
PID 1288 wrote to memory of 2852	1288	cmd.exe	111
PID 3676 wrote to memory of 5032	3676	cmd.exe	112
PID 3676 wrote to memory of 5032	3676	cmd.exe	112
PID 3676 wrote to memory of 5032	3676	cmd.exe	112
PID 4852 wrote to memory of 2508	4852	rundll32.exe	130
PID 4852 wrote to memory of 2508	4852	rundll32.exe	130
PID 4852 wrote to memory of 2508	4852	rundll32.exe	130
PID 2508 wrote to memory of 1140	2508	Fzmabkxq.PIF	137
PID 2508 wrote to memory of 1140	2508	Fzmabkxq.PIF	137
PID 2508 wrote to memory of 1140	2508	Fzmabkxq.PIF	137
PID 3576 wrote to memory of 3104	3576	cmd.exe	138
PID 3576 wrote to memory of 3104	3576	cmd.exe	138
PID 3576 wrote to memory of 3104	3576	cmd.exe	138
PID 3516 wrote to memory of 1956	3516	cmd.exe	139
PID 3516 wrote to memory of 1956	3516	cmd.exe	139
PID 3516 wrote to memory of 1956	3516	cmd.exe	139
PID 3540 wrote to memory of 4844	3540	rundll32.exe	147
PID 3540 wrote to memory of 4844	3540	rundll32.exe	147
PID 3540 wrote to memory of 4844	3540	rundll32.exe	147

C:\Users\Admin\AppData\Local\Temp\TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\TTClub Bill Of Lading - MIQOKHH009171 - S250002165.PDF.scr.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\8785.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\10293.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\129.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Fzmabkxq" /tr C:\\ProgramData\\Fzmabkxq.url"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3956
- C:\ProgramData\WSP\wsp.exe
  "C:\ProgramData\WSP\wsp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1172
    3⤵
    - Program crash
    PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\WSP\wsp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\ProgramData\WSP\wsp.exe
  C:\ProgramData\WSP\wsp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1120
    3⤵
    - Program crash
    PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\WSP\wsp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\ProgramData\WSP\wsp.exe
  C:\ProgramData\WSP\wsp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1120
    3⤵
    - Program crash
    PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5032 -ip 5032
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2852 -ip 2852
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4404 -ip 4404
1⤵
PID:3576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Fzmabkxq.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\Links\Fzmabkxq.PIF
  "C:\Users\Admin\Links\Fzmabkxq.PIF"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\ProgramData\WSP\wsp.exe
    "C:\ProgramData\WSP\wsp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1140
      4⤵
      Program crash
      PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\WSP\wsp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\ProgramData\WSP\wsp.exe
  C:\ProgramData\WSP\wsp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1120
    3⤵
    - Program crash
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\WSP\wsp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\ProgramData\WSP\wsp.exe
  C:\ProgramData\WSP\wsp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1152
    3⤵
    - Program crash
    PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1956 -ip 1956
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3104 -ip 3104
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1140 -ip 1140
1⤵
PID:3992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Fzmabkxq.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\Links\Fzmabkxq.PIF
  "C:\Users\Admin\Links\Fzmabkxq.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\129.cmd

Filesize
83B

MD5
1552c0f912ed6026d5cecb817186e6ff

SHA1
0d182915673234769b7e1e9a0535c3c4d2f2fa58

SHA256
ef86ce04a47376c2ba2dcb16948c4c451b131c970f4df54bbce2995c62831901

SHA512
bb8ae068a3b216ab39786d618fcb6162a80944c62ae841250f24bed0d6be7b1ebba9a2a1471c99d5d61c0c70765e3be9b4493f1b76cd50eb1d9ae5d3cb16a9b7

Download Submit
C:\ProgramData\Fzmabkxq.url

Filesize
99B

MD5
0c141d40a41a87067e14924b5f0391d9

SHA1
0341307587ec805609eeac6230ef9b6108fc93a7

SHA256
84652fe6f24ef3d87aebce45f01b57513caf200f574b4a0396744af44a894c82

SHA512
85e01cbdc938baa8d7361ff038188477a4254a8b0372ea8ce3896bef58af54535f9fef8a2ba403c241b16b711b0f1f79ca1001ec6e58b93921906b7501277fd4

Download Submit
C:\ProgramData\WSP\wsp.exe

Filesize
1.6MB

MD5
ca6df1327b0ff637140b268c4bfe1b72

SHA1
13c488fae638721a5485cfcd196d2b9e80c53cfd

SHA256
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc

SHA512
46247f611b655ed49255b678b350cf26eaa6062f5950662403ee0d4fb2aac632e6f4d4142843b1b582cb7782008add566458c1953835e84cc89833408301b4a2

Download Submit
memory/3680-0-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3680-1-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-2-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-5-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3680-4-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/3680-6-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-7-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-23-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-51-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-50-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-48-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-46-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-44-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-43-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-40-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-39-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-38-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-37-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-36-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-34-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-33-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-32-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-30-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-29-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-28-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-26-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-53-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-24-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-49-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-22-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-47-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-21-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-45-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-20-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-42-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-41-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-19-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-65-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-64-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-63-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-62-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-61-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-60-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-59-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-58-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-57-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-56-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-54-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-55-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-52-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-18-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-17-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-35-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-16-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-15-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-31-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-14-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-13-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-27-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-12-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-25-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-11-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-10-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-9-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/3680-8-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads