modiloader | 38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b

General

Target

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
Size

1.8MB
MD5

9e2d1b4046564b749f7f2fd6d0fdd495
SHA1

62ba2d1184d701f04bc34c5de5064e422a9f17ef
SHA256

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b
SHA512

e209d3a6db83f766b240da2a91b8faf6d19023918b45b98ad87226522ecb6441bce6d3ed78dba7d214e061fe6ed49ce28524a7a1acc262f378fc253a9e9aece9

Score

10^/10

modiloader evasion suricata themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5Rf7Oza5Y.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5Rf7Oza5Y.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5Rf7Oza5Y.exe

ModiLoader Second Stage 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4436-179-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-180-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-182-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-183-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-181-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-184-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-185-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-186-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-187-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-188-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-189-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-190-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-191-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-192-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-193-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-194-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-195-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-196-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-198-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-197-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-199-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-200-0x0000000004A50000-0x0000000004AA9000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

Processes:

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp5Rf7Oza5Y.exe5Rf7Oza5Y.exe

pid	process
4116	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
4436	5Rf7Oza5Y.exe
948	5Rf7Oza5Y.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Rf7Oza5Y.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5Rf7Oza5Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5Rf7Oza5Y.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

Loads dropped DLL 2 IoCs

Processes:

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

pid	process
4116	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe	themida
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe	themida
behavioral2/memory/4436-155-0x0000000000A80000-0x0000000000FF0000-memory.dmp	themida
behavioral2/memory/4436-157-0x0000000000A80000-0x0000000000FF0000-memory.dmp	themida
behavioral2/memory/4436-161-0x0000000000A80000-0x0000000000FF0000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe	themida

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 130.61.117.123
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

5Rf7Oza5Y.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5Rf7Oza5Y.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5Rf7Oza5Y.exe

pid process

4436 5Rf7Oza5Y.exe

description	ioc
Destination IP	130.61.117.123

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5Rf7Oza5Y.exe

pid	process
4436	5Rf7Oza5Y.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

description	pid	process	target process
PID 1668 set thread context of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

explorer.exe5Rf7Oza5Y.exe

pid process

2412 explorer.exe
2412 explorer.exe
2412 explorer.exe
2412 explorer.exe
4436 5Rf7Oza5Y.exe
4436 5Rf7Oza5Y.exe

pid	process
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
4436	5Rf7Oza5Y.exe
4436	5Rf7Oza5Y.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp

description	pid	process	target process
PID 2408 wrote to memory of 4116	2408	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 2408 wrote to memory of 4116	2408	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 2408 wrote to memory of 4116	2408	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 4116 wrote to memory of 900	4116	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
PID 4116 wrote to memory of 900	4116	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
PID 4116 wrote to memory of 900	4116	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
PID 900 wrote to memory of 1668	900	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 900 wrote to memory of 1668	900	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 900 wrote to memory of 1668	900	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe
PID 1668 wrote to memory of 2412	1668	38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp	explorer.exe

C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
"C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\is-GT7L3.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GT7L3.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp" /SL5="$50062,1099673,832512,C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe
"C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\is-R718N.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R718N.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp" /SL5="$60062,1099673,832512,C:\Users\Admin\AppData\Local\Temp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\explorer.exe
explorer.exe 99
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
"C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
7⤵
- Executes dropped EXE
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
Filesize
2.7MB

MD5
4ef0e0f4e7cba6910d01694f46c235de

SHA1
1c6da8b2978ac67a6a0c609817c844c700aecfad

SHA256
03845e172782047a4f75406e4c923d37148cd8094688c2b73ecf19ab34d2096a

SHA512
5c8eb44380ee191b38b2db9a98f0d80e4e5b56a5933c590aeed9d9c5e1866cdd5c96e70408bcfc164a939150a510bfe6709b43fae52f4398741cb8f29694ecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
Filesize
2.7MB

MD5
4ef0e0f4e7cba6910d01694f46c235de

SHA1
1c6da8b2978ac67a6a0c609817c844c700aecfad

SHA256
03845e172782047a4f75406e4c923d37148cd8094688c2b73ecf19ab34d2096a

SHA512
5c8eb44380ee191b38b2db9a98f0d80e4e5b56a5933c590aeed9d9c5e1866cdd5c96e70408bcfc164a939150a510bfe6709b43fae52f4398741cb8f29694ecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Rf7Oza5Y.exe
Filesize
500KB

MD5
70d5adb904d3a750f7de9cc64388a2f6

SHA1
186eb34a33220184f4797702d57fd5760433c5f1

SHA256
926caa44e49108eb3827d3b3a1e1d09bca406eaffecf134ae8fdb530b1449df5

SHA512
e0fa524b1010bad55b92ff261a400436ff15fb13f4651074e84e63d55d048dd6f743708c825106c83f9646554d5fcaa82ac656ef40b7ca3ba3539eb97ed6b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EA5L7.tmp\service.dll
Filesize
394KB

MD5
1a638910ac31c09d83a05c3a7251e28e

SHA1
106cf58c61b2587ffc9a22334bf74c9a1a965a8a

SHA256
3ec70ebee7444f6a3af88b584363f8b8bf03aba6980d24cbea982ceb69984c24

SHA512
8d3d5ddac7ae5909475ad38224eb4d5d7a6f620b7003d7fa39682a87f0f3ad10fe2e421bcc6697e24e21d1b1d70fcc18a083ffc14ca7df3239021a2fcc3a12e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GT7L3.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
Filesize
3.0MB

MD5
e5d01e2422644dc30c6775f92f2027c1

SHA1
01483327465651be3680aefecc7b0e95fd74e249

SHA256
d66eb8ea5f5e0ac804c38af95713b0d24bcc68030cebaf472b1d35a22604ae04

SHA512
5cfe37aad410cbb6ae128ec7e02c08ce24143a5fb0451e1813e4734944f9c5be46634ee48cf1022302a61ef85c3e4426de5eafe1523715b277bdd569781df208

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LQLC1.tmp\service.dll
Filesize
394KB

MD5
1a638910ac31c09d83a05c3a7251e28e

SHA1
106cf58c61b2587ffc9a22334bf74c9a1a965a8a

SHA256
3ec70ebee7444f6a3af88b584363f8b8bf03aba6980d24cbea982ceb69984c24

SHA512
8d3d5ddac7ae5909475ad38224eb4d5d7a6f620b7003d7fa39682a87f0f3ad10fe2e421bcc6697e24e21d1b1d70fcc18a083ffc14ca7df3239021a2fcc3a12e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R718N.tmp\38bd4c2d12d2223f6eb3039808ae53490dfb07aef2826e535ae3f38617afd02b.tmp
Filesize
3.0MB

MD5
e5d01e2422644dc30c6775f92f2027c1

SHA1
01483327465651be3680aefecc7b0e95fd74e249

SHA256
d66eb8ea5f5e0ac804c38af95713b0d24bcc68030cebaf472b1d35a22604ae04

SHA512
5cfe37aad410cbb6ae128ec7e02c08ce24143a5fb0451e1813e4734944f9c5be46634ee48cf1022302a61ef85c3e4426de5eafe1523715b277bdd569781df208

Download Submit
memory/900-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/900-137-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/900-136-0x0000000000000000-mapping.dmp

Download
memory/900-148-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/948-202-0x0000000000000000-mapping.dmp

Download
memory/1668-141-0x0000000000000000-mapping.dmp

Download
memory/1668-144-0x0000000003480000-0x00000000034BB000-memory.dmp

Filesize
236KB

Download
memory/2408-130-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2408-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2408-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2412-145-0x0000000000000000-mapping.dmp

Download
memory/2412-150-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2412-149-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2412-147-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2412-154-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2412-146-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2412-156-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/4116-132-0x0000000000000000-mapping.dmp

Download
memory/4436-159-0x0000000076FA0000-0x0000000077143000-memory.dmp

Filesize
1.6MB

Download
memory/4436-188-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-161-0x0000000000A80000-0x0000000000FF0000-memory.dmp

Filesize
5.4MB

Download
memory/4436-162-0x0000000076FA0000-0x0000000077143000-memory.dmp

Filesize
1.6MB

Download
memory/4436-179-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-180-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-182-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-183-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-181-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-184-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-185-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-186-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-187-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-157-0x0000000000A80000-0x0000000000FF0000-memory.dmp

Filesize
5.4MB

Download
memory/4436-189-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-190-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-191-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-192-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-193-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-194-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-195-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-196-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-198-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-197-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-199-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-200-0x0000000004A50000-0x0000000004AA9000-memory.dmp

Filesize
356KB

Download
memory/4436-155-0x0000000000A80000-0x0000000000FF0000-memory.dmp

Filesize
5.4MB

Download
memory/4436-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads