modiloader | 039412a7bc7448a2cb2bef31c3cb4aa8cb58ae1eb61835082a45741fe8564624

Analysis

max time kernel
299s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
Size

1.6MB
MD5

fd369e87839e7d68d18209317decc88e
SHA1

116042c1f6f8e98adcc054cca6817daba5c2ac99
SHA256

0d8d4ae98a1216a5e84c11a34b8c9e9f87f92753cd49029c709bec46cde8845e
SHA512

a44f46bb7e8f7df4e975e96557adc538202d7afb987b6193298a5a2b285962e41b5769013b27b402f55ea7802d04c63f5144218fa95eb155ec86dcb8b9aeb59b
SSDEEP

49152:Gp1cZwfxJMCbRblfBO1h1TqnNa7Ic82rW:GUyRblJwTqnNNd

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/4500-2-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-6-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-10-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-20-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-42-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-67-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-66-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-65-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-62-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-61-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-60-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-59-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-58-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-56-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-55-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-54-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-53-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-51-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-48-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-47-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-46-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-45-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-44-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-43-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-39-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-37-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-36-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-35-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-34-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-33-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-63-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-28-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-27-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-57-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-26-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-52-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-24-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-50-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-23-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-49-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-22-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-21-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-40-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-19-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-18-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-38-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-17-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-16-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-32-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-31-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-15-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-30-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-14-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-29-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-13-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-25-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-12-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-11-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-9-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-7-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2
behavioral1/memory/4500-8-0x0000000002950000-0x0000000003950000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Kfuuzumr.PIF
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 9 IoCs

pid	Process
516	Adobe.exe
5060	Adobe.exe
3876	Adobe.exe
3888	Kfuuzumr.PIF
4672	Kfuuzumr.PIF
2460	Adobe.exe
4424	Kfuuzumr.PIF
816	Kfuuzumr.PIF
3900	Kfuuzumr.PIF

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Kfuuzumr.PIF
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Kfuuzumr.PIF
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Adobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Adobe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2480	5060	WerFault.exe	109
4296	516	WerFault.exe	108
4300	3888	WerFault.exe	113
4592	3876	WerFault.exe	110
5032	4424	WerFault.exe	137
1256	816	WerFault.exe	141
4300	3900	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfuuzumr.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfuuzumr.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfuuzumr.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfuuzumr.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfuuzumr.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4476	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2208	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	94
PID 4500 wrote to memory of 2208	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	94
PID 4500 wrote to memory of 2208	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	94
PID 4500 wrote to memory of 1028	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	96
PID 4500 wrote to memory of 1028	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	96
PID 4500 wrote to memory of 1028	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	96
PID 4500 wrote to memory of 216	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	99
PID 4500 wrote to memory of 216	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	99
PID 4500 wrote to memory of 216	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	99
PID 216 wrote to memory of 4476	216	cmd.exe	102
PID 216 wrote to memory of 4476	216	cmd.exe	102
PID 216 wrote to memory of 4476	216	cmd.exe	102
PID 4500 wrote to memory of 516	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	108
PID 4500 wrote to memory of 516	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	108
PID 4500 wrote to memory of 516	4500	SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr	108
PID 2508 wrote to memory of 5060	2508	cmd.exe	109
PID 2508 wrote to memory of 5060	2508	cmd.exe	109
PID 2508 wrote to memory of 5060	2508	cmd.exe	109
PID 1724 wrote to memory of 3876	1724	cmd.exe	110
PID 1724 wrote to memory of 3876	1724	cmd.exe	110
PID 1724 wrote to memory of 3876	1724	cmd.exe	110
PID 4328 wrote to memory of 3888	4328	rundll32.exe	113
PID 4328 wrote to memory of 3888	4328	rundll32.exe	113
PID 4328 wrote to memory of 3888	4328	rundll32.exe	113
PID 3888 wrote to memory of 4300	3888	Kfuuzumr.PIF	130
PID 3888 wrote to memory of 4300	3888	Kfuuzumr.PIF	130
PID 3888 wrote to memory of 4300	3888	Kfuuzumr.PIF	130
PID 1040 wrote to memory of 4672	1040	rundll32.exe	134
PID 1040 wrote to memory of 4672	1040	rundll32.exe	134
PID 1040 wrote to memory of 4672	1040	rundll32.exe	134
PID 4672 wrote to memory of 2460	4672	Kfuuzumr.PIF	135
PID 4672 wrote to memory of 2460	4672	Kfuuzumr.PIF	135
PID 4672 wrote to memory of 2460	4672	Kfuuzumr.PIF	135
PID 1404 wrote to memory of 4424	1404	rundll32.exe	137
PID 1404 wrote to memory of 4424	1404	rundll32.exe	137
PID 1404 wrote to memory of 4424	1404	rundll32.exe	137
PID 3920 wrote to memory of 816	3920	rundll32.exe	141
PID 3920 wrote to memory of 816	3920	rundll32.exe	141
PID 3920 wrote to memory of 816	3920	rundll32.exe	141
PID 1140 wrote to memory of 3900	1140	rundll32.exe	145
PID 1140 wrote to memory of 3900	1140	rundll32.exe	145
PID 1140 wrote to memory of 3900	1140	rundll32.exe	145

C:\Users\Admin\AppData\Local\Temp\SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr
"C:\Users\Admin\AppData\Local\Temp\SKM_BH450i241126113808768679897786756452434657687867565645354768789090989786643.scr" /S
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\9820.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\32882.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\ProgramData\\13.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Kfuuzumr" /tr C:\\ProgramData\\Kfuuzumr.url"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4476
- C:\ProgramData\Adobe\Adobe.exe
  "C:\ProgramData\Adobe\Adobe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1288
    3⤵
    - Program crash
    PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Adobe\Adobe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\ProgramData\Adobe\Adobe.exe
  C:\ProgramData\Adobe\Adobe.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1132
    3⤵
    - Program crash
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Adobe\Adobe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\ProgramData\Adobe\Adobe.exe
  C:\ProgramData\Adobe\Adobe.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1164
    3⤵
    - Program crash
    PID:2480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Kfuuzumr.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\Links\Kfuuzumr.PIF
  "C:\Users\Admin\Links\Kfuuzumr.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1148
    3⤵
    - Program crash
    PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5060 -ip 5060
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 516 -ip 516
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3876 -ip 3876
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3876 -ip 3876
1⤵
PID:2964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Kfuuzumr.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\Links\Kfuuzumr.PIF
  "C:\Users\Admin\Links\Kfuuzumr.PIF"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\ProgramData\Adobe\Adobe.exe
    "C:\ProgramData\Adobe\Adobe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Kfuuzumr.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\Links\Kfuuzumr.PIF
  "C:\Users\Admin\Links\Kfuuzumr.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1124
    3⤵
    - Program crash
    PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4424 -ip 4424
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Kfuuzumr.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\Links\Kfuuzumr.PIF
  "C:\Users\Admin\Links\Kfuuzumr.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1120
    3⤵
    - Program crash
    PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 816 -ip 816
1⤵
PID:700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Kfuuzumr.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\Links\Kfuuzumr.PIF
  "C:\Users\Admin\Links\Kfuuzumr.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1260
    3⤵
    - Program crash
    PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3900 -ip 3900
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\13.cmd

Filesize
83B

MD5
932f70d0b3adf5dd1572dd8c65995f53

SHA1
1d423b68b845aace9aed6359eda07cdafb5a8dfe

SHA256
0a5ed16d85ef214cb8e4d0453ae4d2651cc542aeeabc76f5eeb456ffd053d146

SHA512
e9d5a02e760d546a8b0b7ce457fa40e099e5ef9d591a6a3bdfebdff58c1383ea48024b191e05a33c392bb809832d12f915b271c563335557bc79cd4268e2ad92

Download Submit
C:\ProgramData\Adobe\Adobe.exe

Filesize
1.6MB

MD5
fd369e87839e7d68d18209317decc88e

SHA1
116042c1f6f8e98adcc054cca6817daba5c2ac99

SHA256
0d8d4ae98a1216a5e84c11a34b8c9e9f87f92753cd49029c709bec46cde8845e

SHA512
a44f46bb7e8f7df4e975e96557adc538202d7afb987b6193298a5a2b285962e41b5769013b27b402f55ea7802d04c63f5144218fa95eb155ec86dcb8b9aeb59b

Download Submit
C:\ProgramData\Kfuuzumr.url

Filesize
99B

MD5
25efd62c4733ccc98b2585c63f823ad0

SHA1
97061743c08fcecec052c9b9f4039371b5eb6ac2

SHA256
04467bddd5f696afb0919549b025c011421473a9fdf8b0cd6f100734111727db

SHA512
5af5b593f2a6cfefc740a2d15d39212e77df75425fb74c7da64faeb1e896a0d9e7e4209b91d82cc610180ae8d3e4f311710848f5725b77a28e113120eab86bfe

Download Submit
memory/4500-0-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4500-1-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-2-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-5-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4500-4-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4500-6-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-10-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-20-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-42-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-67-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-66-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-65-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-62-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-61-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-60-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-59-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-58-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-56-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-55-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-54-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-53-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-51-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-48-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-47-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-46-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-45-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-44-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-43-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-39-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-37-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-36-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-35-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-34-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-33-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-63-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-28-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-27-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-57-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-26-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-52-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-24-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-50-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-23-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-49-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-22-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-21-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-40-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-19-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-18-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-38-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-17-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-16-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-32-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-31-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-15-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-30-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-14-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-29-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-13-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-25-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-12-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-11-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-9-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-7-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4500-8-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads