modiloader | 1ded4c387a4292edcf04a920c5e129a74dc246f2cf2785561b708dacb554cf96

Analysis

max time kernel
142s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Size

7.7MB
MD5

19c9bec1f75d5ca7edb86310660a6c7b
SHA1

2ff805f3f29ea16e0dad096de62c7ce87ca9357a
SHA256

1ded4c387a4292edcf04a920c5e129a74dc246f2cf2785561b708dacb554cf96
SHA512

dd944946244d1b90bae729dc714cf0fe579d28983eace8341f0910bd71590f35c7a76a8b2528fea0050fd96d2b0503b7f7082e12a29e2608b185d956cb52c72b
SSDEEP

196608:U3GEEoPZJSRkkcj8aNGLtQhGEEoPZJSRkkcj8aNGLtQM:U3GEdPuktIiGEdPuktIz

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 17 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe	modiloader_stage2
behavioral2/memory/4348-46-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/2532-28-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-66-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-69-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-72-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-75-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-78-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-81-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-84-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-87-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-90-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-93-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-96-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-99-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-102-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1416-105-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	CCleaner.exe

Executes dropped EXE 5 IoCs

Processes:

CCleaner.exemstwain32.execcsetup236.exeCCleaner.execcsetup236.exe

pid process

2532 CCleaner.exe
1416 mstwain32.exe
4220 ccsetup236.exe
4348 CCleaner.exe
440 ccsetup236.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Loads dropped DLL 6 IoCs

Processes:

mstwain32.exe19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

pid process

1416 mstwain32.exe
1416 mstwain32.exe
1416 mstwain32.exe
1416 mstwain32.exe
1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe

pid	process
2532	CCleaner.exe
1416	mstwain32.exe
4220	ccsetup236.exe
4348	CCleaner.exe
440	ccsetup236.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

pid	process
1416	mstwain32.exe
1416	mstwain32.exe
1416	mstwain32.exe
1416	mstwain32.exe
1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CCleaner.exemstwain32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CCleaner.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

Processes:

CCleaner.exemstwain32.exe

description	ioc	process
File created	C:\Windows\mstwain32.exe	CCleaner.exe
File opened for modification	C:\Windows\mstwain32.exe	CCleaner.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe	nsis_installer_2

Modifies registry class 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	rundll32.exe

Modifies registry key 1 TTPs 20 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4036	reg.exe
3568	reg.exe
2076	reg.exe
2620	reg.exe
4508	reg.exe
1148	reg.exe
2544	reg.exe
3572	reg.exe
2176	reg.exe
4720	reg.exe
436	reg.exe
1928	reg.exe
4084	reg.exe
2192	reg.exe
2604	reg.exe
2976	reg.exe
4972	reg.exe
2640	reg.exe
3616	reg.exe
2488	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CCleaner.exemstwain32.exe19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2532	CCleaner.exe
Token: SeDebugPrivilege	1416	mstwain32.exe
Token: SeDebugPrivilege	1416	mstwain32.exe
Token: SeDebugPrivilege	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exemstwain32.exe

pid process

1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
1416 mstwain32.exe
1416 mstwain32.exe

pid	process
1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
1416	mstwain32.exe
1416	mstwain32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.execmd.execcsetup236.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 2532	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 1668 wrote to memory of 2532	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 1668 wrote to memory of 2532	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 1668 wrote to memory of 5060	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 5060	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 5060	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2896	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2896	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2896	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2584	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2584	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2584	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 3376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 3376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 3376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2992	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2992	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2992	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 2532 wrote to memory of 1416	2532	CCleaner.exe	mstwain32.exe
PID 2532 wrote to memory of 1416	2532	CCleaner.exe	mstwain32.exe
PID 2532 wrote to memory of 1416	2532	CCleaner.exe	mstwain32.exe
PID 1668 wrote to memory of 4220	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	ccsetup236.exe
PID 1668 wrote to memory of 4220	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	ccsetup236.exe
PID 1668 wrote to memory of 4220	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	ccsetup236.exe
PID 1668 wrote to memory of 1948	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1948	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1948	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1744	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1744	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1744	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4492	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4492	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4492	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1376	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1052	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1052	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 1052	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 5060 wrote to memory of 2076	5060	cmd.exe	reg.exe
PID 5060 wrote to memory of 2076	5060	cmd.exe	reg.exe
PID 5060 wrote to memory of 2076	5060	cmd.exe	reg.exe
PID 1668 wrote to memory of 4348	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 1668 wrote to memory of 4348	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 1668 wrote to memory of 4348	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	CCleaner.exe
PID 4220 wrote to memory of 1556	4220	ccsetup236.exe	pcaui.exe
PID 4220 wrote to memory of 1556	4220	ccsetup236.exe	pcaui.exe
PID 1668 wrote to memory of 4208	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4208	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 4208	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2096	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2096	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2096	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2152	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2152	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2152	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2748	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2748	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2748	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2548	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2548	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 1668 wrote to memory of 2548	1668	19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe	cmd.exe
PID 3376 wrote to memory of 3572	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 3572	3376	cmd.exe	reg.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\mstwain32.exe
"C:\Windows\mstwain32.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:4508

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:3572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:4084

C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:4036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:436

C:\Users\Admin\AppData\Local\Temp\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2640

C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"
2⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:3616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
2⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
2⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:1428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCleaner.exe
Filesize
270KB

MD5
16e11c0d0af86560a376b1b3ef69afe2

SHA1
567d4be42eb29b28b62e8cf6255c3459d25f2e3c

SHA256
3ff60728b28ee54d13a91e52d71c73211e3e67800635e4dd21196f60fab78cf3

SHA512
7b4b396d5fdc4bc2d632bfb56587736ee0e0782f20a0be588fd1a680a87e4cd28c65f92b54040e574799973756a96937d37b5ce39a36ef7a7b0588990bc7a335

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe
Filesize
896KB

MD5
093cd228254c2cc27217f54a1a99dfb0

SHA1
b67e0dfa21dffd0a3a4e9315cc90e3d6dc514bf1

SHA256
07d276ff5867a749e4bf3252d4f56cc8c6ea2671382e4f3c54b0a83d67f2a6b7

SHA512
2eb54dec84881714635be8809ac72249d95703d88c243d36e01f9ba5a406fc46c61eabb13d3efc86d4d06527a3cba9fe92dd31155dbe912e1fdf9df31e33e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe
Filesize
3.3MB

MD5
832fdaa7e21a755ad2016493fe2b1ae0

SHA1
6dd7b298899d1d40d9d5f0e89c40a40f69ac90c9

SHA256
8ceafddab004733568fff7cf34572d41a866421fe3e6f8f7864fe0270cc115ad

SHA512
bfc1867fa2a4bb2800f0bd461666335a290c6780205eb6d1d6f721f6ca1045e3e826a84f3814f0a580a90ca063787b3dad0f19ea893d3ea41c71d61f66a4f1b5

Download Submit
C:\Windows\cmsetac.dll
Filesize
33KB

MD5
192c8da340572eae08f8510d90c822ed

SHA1
c621836688d9a6f7fe7837f6ccac3d06fd77da8a

SHA256
ea1f8f26287ae62e732b2bd2d591e0779dbac144a2096ce159402dc6b8f088d0

SHA512
66f942b601dd4fe8a6a80a161e4b6927145a06eba4b3edb37ef541ee19d3a076bb19870ff5f74d2727d054d97fed4773bfb85951d7d69fecba5f64d34afa2fd2

Download Submit
C:\Windows\ntdtcstp.dll
Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1416-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-90-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-105-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-102-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-96-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-93-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-42-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1416-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-68-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1416-67-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1416-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1416-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1668-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1668-61-0x0000000004920000-0x000000000492E000-memory.dmp

Filesize
56KB

Download
memory/1668-63-0x0000000004920000-0x000000000492E000-memory.dmp

Filesize
56KB

Download
memory/1668-64-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1668-65-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2532-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4348-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download