modiloader | ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e

General

Target

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Size

521KB
MD5

d9ab08dfe2176e7fb3f04b597314859f
SHA1

90e818eda58840c5d811dd9729ea8aca20654d3e
SHA256

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e
SHA512

b44dfe1fbd3595143cdf2b50ffed64feab8c4975436d55fbd1db001101d7554d8fb6747ad59c99d9bcbb7486be0b02c1bad9a9686099888984bad6bd99772ad9
SSDEEP

12288:evoLy6NugQ5yRRc/Xu5uy5n3MESioMsis/tKw4cNL4qXh:cYHNEgRa/Xu/3PzoMwKw4c2qXh

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Public\\Videos\\netservice.exe\"un userinit.exe"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1324-57-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/1324-63-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1324-59-0x0000000010410000-0x0000000010494000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1748 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1748	cmd.exe

Modifies registry class 45 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Elevation	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\0\win32\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Version	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\VersionIndependentProgID\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Elevation\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\ProgID\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\ = "Microsoft XML, v3.0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\0\win32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\TypeLib	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Version\ = "1.0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\InprocServer32\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\0\win32	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\VersionIndependentProgID\ = "WlanAdhoc.WlanAdhocLUA"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\0\win32\ = "%SystemRoot%\\SysWow64\\msxml6.dll"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Version\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Programmable\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\ = "Microsoft XML, v6.0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\TypeLib\ = "{94EB1F5F-C027-3B44-A337-45882E06AFA5}"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\InprocServer32	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\ProgID\ = "WlanAdhoc.WlanAdhocLUA.1"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\FLAGS\ = "0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\ = "Remid Class"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\InprocServer32\ = "%SystemRoot%\\SysWow64\\wlanpref.dll"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\ProgID	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\FLAGS\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\0\win32	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\FLAGS	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\FLAGS\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\VersionIndependentProgID	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\Programmable	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\3.0\FLAGS	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\0\win32\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94EB1F5F-C027-3B44-A337-45882E06AFA5}\6.0\FLAGS\ = "0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{875F8FE9-CEE8-4934-4AA1-6A07107C775A}\TypeLib\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description pid process

Token: SeDebugPrivilege 1324 ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	pid	process
Token: SeDebugPrivilege	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	pid	process	target process
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 1324 wrote to memory of 1260	1324	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
"C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" about:blank
2⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
2⤵
- Deletes itself
PID:1748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1324-56-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1324-57-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1324-59-0x0000000010410000-0x0000000010494000-memory.dmp

Filesize
528KB

Download
memory/1324-64-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1324-63-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1748-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads