modiloader | ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e

General

Target

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Size

521KB
MD5

d9ab08dfe2176e7fb3f04b597314859f
SHA1

90e818eda58840c5d811dd9729ea8aca20654d3e
SHA256

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e
SHA512

b44dfe1fbd3595143cdf2b50ffed64feab8c4975436d55fbd1db001101d7554d8fb6747ad59c99d9bcbb7486be0b02c1bad9a9686099888984bad6bd99772ad9
SSDEEP

12288:evoLy6NugQ5yRRc/Xu5uy5n3MESioMsis/tKw4cNL4qXh:cYHNEgRa/Xu/3PzoMwKw4c2qXh

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Public\\Videos\\netservice.exe\"un userinit.exe"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-135-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral2/memory/4892-141-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4892-137-0x0000000010410000-0x0000000010494000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\adoberfp.dll"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\0\win32	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\FLAGS\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\FLAGS\ = "0"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\HELPDIR\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\VersionIndependentProgID	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\VersionIndependentProgID\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\ProgID	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\0	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\TypeLib	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\TypeLib\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\HELPDIR\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\TypeLib\ = "{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\VersionIndependentProgID\ = "Adobe.Reader.BitmapFactory"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\ProgID\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\0\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Accessibility.api"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\FLAGS	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\HELPDIR	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\ = "Afiboqa Pakew"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\InprocServer32	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\InprocServer32\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F649938B-07E1-4F49-12A8-7BC1EB7229A8}\ProgID\ = "Adobe.Reader.BitmapFactory.1"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\ = "Acrobat Access 3.0 Type Library"	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0FE3A70-231F-176B-7ECF-6E35DDC6A38A}\3.0\0\win32\	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description pid process

Token: SeDebugPrivilege 4892 ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	pid	process
Token: SeDebugPrivilege	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

description	pid	process	target process
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe
PID 4892 wrote to memory of 2620	4892	ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
"C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" about:blank
2⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
2⤵
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3152-140-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-133-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/4892-134-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/4892-135-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-137-0x0000000010410000-0x0000000010494000-memory.dmp

Filesize
528KB

Download
memory/4892-141-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-142-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads