Behavioral Report

max time kernel151s
max time network155s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 12:30

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

dfc36d52a5d7bd9edfa69f71a68d82c88cb5807a921c0f3728f76b31ed404e45.exe

Filesize

352KB

Completed

21-05-2022 13:12

Task

behavioral1

Score

10^/10

MD5

5838fdd9a6d593e38d858fb0b4dc198b

SHA1

214ffb0080ff13a439d7a73ca1944677159cdf11

SHA256

dfc36d52a5d7bd9edfa69f71a68d82c88cb5807a921c0f3728f76b31ed404e45

SHA256

079d141b63e2d793bc052c600e6b9626a1bf0f2c28b384abf30ea327d01680144246522fe9cf03057f6662ed87ce38f814d872acda65d8b3b769d7204355d6fb

modiloader evasion persistence trojan

Defense Evasion

Discovery

Persistence

ModiLoader, DBatLoader

Description

ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

Tags

trojan modiloader

Process spawned unexpected child process

mshta.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	984	mshta.exe

Checks for common network interception software

Description

Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

Tags

evasion

TTPs
Looks for VirtualBox Guest Additions in registry

Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Looks for VirtualBox drivers on disk

Tags

evasion

TTPs

File and Directory DiscoveryVirtualization/Sandbox Evasion

ModiLoader Second Stage

Reported IOCs

resource	yara_rule
behavioral1/memory/1424-55-0x0000000000400000-0x000000000045EAB0-memory.dmp	modiloader_stage2
behavioral1/memory/1424-54-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/1424-59-0x0000000000400000-0x000000000045EAB0-memory.dmp	modiloader_stage2
behavioral1/memory/1424-60-0x0000000001CA0000-0x0000000001D7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-62-0x0000000005CB0000-0x0000000005D8C000-memory.dmp	modiloader_stage2
behavioral1/memory/1052-65-0x00000000001F0000-0x000000000033A000-memory.dmp	modiloader_stage2
behavioral1/memory/1340-68-0x0000000000240000-0x000000000038A000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key

Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion

Checks BIOS information in registry

regsvr32.exe

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself
regsvr32.exe

Reported IOCs

pid process

1052 regsvr32.exe

pid	process
1052	regsvr32.exe

Adds Run key to start application

regsvr32.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\5c3ac\\4feeb.bat\""	regsvr32.exe

Maps connected drives based on registry

regsvr32.exe

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory

powershell.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext

powershell.exeregsvr32.exe

Reported IOCs

description	pid	process	target process
PID 1692 set thread context of 1052	1692	powershell.exe	regsvr32.exe
PID 1052 set thread context of 1340	1052	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Modifies Internet Explorer settings

mshta.exeregsvr32.exe

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class

regsvr32.exe

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.4329b5\ = "d22b9"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\d22b9	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\d22b9\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\d22b9\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\d22b9\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\d22b9\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:x7XnjAWi6=\"dNgO\";n5O8=new ActiveXObject(\"WScript.Shell\");voCh6=\"K\";GuH7P=n5O8.RegRead(\"HKCU\\\\software\\\\uwswoavg\\\\nggk\");U8kvCPnJ=\"ffXJDD\";eval(GuH7P);Mr4BL=\"tjANr\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.4329b5	regsvr32.exe

Suspicious behavior: EnumeratesProcesses

powershell.exeregsvr32.exe

Reported IOCs

pid	process
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe
1052	regsvr32.exe

Suspicious behavior: MapViewOfSection
powershell.exeregsvr32.exe

Reported IOCs

pid process

1692 powershell.exe
1052 regsvr32.exe
Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1692 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory

mshta.exepowershell.exeregsvr32.exe

Reported IOCs

description	pid	process	target process
PID 1716 wrote to memory of 1692	1716	mshta.exe	powershell.exe
PID 1716 wrote to memory of 1692	1716	mshta.exe	powershell.exe
PID 1716 wrote to memory of 1692	1716	mshta.exe	powershell.exe
PID 1716 wrote to memory of 1692	1716	mshta.exe	powershell.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1692 wrote to memory of 1052	1692	powershell.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 1340	1052	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\dfc36d52a5d7bd9edfa69f71a68d82c88cb5807a921c0f3728f76b31ed404e45.exe

"C:\Users\Admin\AppData\Local\Temp\dfc36d52a5d7bd9edfa69f71a68d82c88cb5807a921c0f3728f76b31ed404e45.exe"

PID:1424

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:I9sHmE="xd9lCT";vl0=new%20ActiveXObject("WScript.Shell");a5fNj="hWyg7";n4MSy=vl0.RegRead("HKCU\\software\\infIZ9\\qvdmtOa5t");WY3nWeBE="IgYlqq";eval(n4MSy);quS8CS="lFy";

Process spawned unexpected child process
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory

PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hjefbhnl

Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1692

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

Checks BIOS information in registry
Deletes itself
Adds Run key to start application
Maps connected drives based on registry
Suspicious use of SetThreadContext
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:1052

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

PID:1340

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

memory/1052-63-0x000000000024C6D0-mapping.dmp

Download
memory/1052-65-0x00000000001F0000-0x000000000033A000-memory.dmp

Download
memory/1340-66-0x000000000029C6D0-mapping.dmp

Download
memory/1340-68-0x0000000000240000-0x000000000038A000-memory.dmp

Download
memory/1424-55-0x0000000000400000-0x000000000045EAB0-memory.dmp

Download
memory/1424-54-0x0000000000400000-0x000000000043C000-memory.dmp

Download
memory/1424-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Download
memory/1424-59-0x0000000000400000-0x000000000045EAB0-memory.dmp

Download
memory/1424-60-0x0000000001CA0000-0x0000000001D7C000-memory.dmp

Download
memory/1692-61-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Download
memory/1692-62-0x0000000005CB0000-0x0000000005D8C000-memory.dmp

Download
memory/1692-57-0x0000000000000000-mapping.dmp

Download

Filter: none

Description

Tags

Description

Reported IOCs

Description

Tags

TTPs

Tags

TTPs

Tags

TTPs

Reported IOCs

Tags

TTPs

Description

TTPs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Description

TTPs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title