modiloader | 1a7850cb9fd09e203b213de0cf4a44653c9cb30f441d058e7ed098c7b9d932b3

General

Target

690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
Size

268KB
MD5

690a11b0992482f1c5a65be3f37d15d4
SHA1

ff2f9a02f0a1f3457630ec3c10e6792633a7524e
SHA256

1a7850cb9fd09e203b213de0cf4a44653c9cb30f441d058e7ed098c7b9d932b3
SHA512

db2ec447f7384d21ff89fa788253ba0931b9606ff2b27b50f393c9180c6c07c34dfcc72307bcb0b107963b4227d14bc98a6c340f78b0023166ee51d91f4e7ab4
SSDEEP

6144:2qe5FM4ZugPFPUXaHasWJH5GL9CF1mQJkBw4Ku21Kr:2qQM4ZuIFcXaHahH5EgYbVKD1C

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2700 mshta.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2700	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2332-2-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-5-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-4-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-10-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-9-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-8-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-7-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-6-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-11-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-12-0x0000000001D80000-0x0000000001E56000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-21-0x00000000061D0000-0x00000000062A6000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-23-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-25-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-26-0x00000000061D0000-0x00000000062A6000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-30-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-32-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-34-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-27-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-29-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-28-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-43-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-31-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-49-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-47-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-61-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-48-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-58-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-57-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-56-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-55-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-54-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-46-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-45-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-44-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-42-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-41-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-40-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-39-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-38-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-37-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-36-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-35-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-33-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/2132-66-0x0000000000170000-0x00000000002B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-68-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-67-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-81-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-80-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-79-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-78-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-77-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-76-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-74-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-73-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-72-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-71-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-70-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-69-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-82-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-75-0x0000000000090000-0x00000000001D1000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2132 regsvr32.exe
Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk regsvr32.exe

pid	process
2132	regsvr32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:g2A8seJw=\"waBZ5TZ\";z99m=new%20ActiveXObject(\"WScript.Shell\");vruE0A5=\"uQr1NHM\";rcvh47=z99m.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");DzKpl4fC=\"7TbkBe6c\";eval(rcvh47);qBz1kE=\"cwBiEG\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d3afae00\\9a86c6c3.lnk\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:VCReAR6=\"BgKLGg\";yN1=new%20ActiveXObject(\"WScript.Shell\");bxa1z3=\"VXI\";fPx2j=yN1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\pzadcohmp\\\\jhpvhyp\");H9d7cp=\"Af2C7Z\";eval(fPx2j);vruN51=\"1w\";"	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2220 set thread context of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 1764 set thread context of 2132	1764	powershell.exe	regsvr32.exe
PID 2132 set thread context of 1720	2132	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8\ = "379d11eb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:BHYy2HsV=\"cqW\";hs5=new ActiveXObject(\"WScript.Shell\");mAt6V=\"1EF70K\";d98rJk=hs5.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");XRkgk0K=\"qaD\";eval(d98rJk);N2exPB8Gb=\"7lHN\";\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

1764 powershell.exe
2132 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1764 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe

pid process

2220 690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe

pid	process
2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2220 wrote to memory of 2332	2220	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe	690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
PID 2884 wrote to memory of 1764	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 1764	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 1764	2884	mshta.exe	powershell.exe
PID 2884 wrote to memory of 1764	2884	mshta.exe	powershell.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 1764 wrote to memory of 2132	1764	powershell.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 1720	2132	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\690a11b0992482f1c5a65be3f37d15d4_JaffaCakes118.exe"
2⤵
PID:2332

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:ibDv7z2="cNpPdg";G7R=new%20ActiveXObject("WScript.Shell");IuB9ZW5="yd8xZSb";Kak1h=G7R.RegRead("HKLM\\software\\Wow6432Node\\bCvsVpk\\ih0Ynr1DLV");nd1SqRgn="3dT";eval(Kak1h);Jko2El="f";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:peepj
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
4⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

4

T1012

Virtualization/Sandbox Evasion

3

T1497

File and Directory Discovery

1

T1083

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
13e336a117fe4753e866a2f18f749497

SHA1
7950c73f02b649f205b87c46701dffe524b52d67

SHA256
06bef280ccafa4e9b71a15a5fc259bb542783891dc14873d238db51a83a8cde2

SHA512
970caec05a7e41904ddf7060907abaab53a0fea13052c00f36dd3cf81e9f0c410c8de255f74c029d448ac68963f8b47aa8c7e66e3c7641f44b437159d11d1784

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B77.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8
Filesize
4KB

MD5
d24de2ff731484fcc229a761a5fb4b70

SHA1
c25b15fe2439335aa3baa69b5893376e6a1fb691

SHA256
275472beafe684843b88cc2cb351c0afc0ae7a04c64847d9491f6b5d8b9efe94

SHA512
14a7a3da810ff40d9e9922436b034310188d6a85e4452fb77aa8aba86f78ef071db2acabd9e92a9cee2f90f3d09be70b343eabbfdf4c30683a9b32309bdb15c4

Download Submit
C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnk
Filesize
897B

MD5
9be36745b428498d72c05ed897c08da0

SHA1
e7659827d1b27b19fdee4d3e9a8a4293c801aaf5

SHA256
02516a051e824a721ebb2303cf02564ecef6fbd26dd762998c2e628e98137ed3

SHA512
923dc3860ca5156ccd4c94f35c926ce81bc6af84ccba3d03d2f66aea1bf08742bba0cdae547c28c439015d8e94798c6da0a27c7268e1e343faa1b2f0387e4c4e

Download Submit
C:\Users\Admin\AppData\Local\d3afae00\d2239679.bat
Filesize
67B

MD5
f2ae417dcfcbe11a00d1102e6b587247

SHA1
0078bd4798af0b8a717425f1a85a1ff2a70c4c37

SHA256
0dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b

SHA512
8fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk
Filesize
999B

MD5
8b9eb07f7a6f1e9e7dadb5f9a6efdb62

SHA1
f569e9dacef088dd9bf13fc7bf87df5a329db24f

SHA256
ff566b2912d5cb91cf6776275f8f1cde0711e89f308d0ae1428de30380d93535

SHA512
646948890d5420d383c01f3adda7b5bed665d2af7f42726b4373717a0df7e431eeeff051df8b149b64f047c8e7d57e18cc49fe92f65a613ca9bd2d54fd9d4ac5

Download Submit
C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8
Filesize
36KB

MD5
439b95e14ce359094802dac9301c7947

SHA1
10eb835108cdcd38a05403182e9170ff03860dcb

SHA256
352b376c17ee9eef3095a68327cf67a9ac1cafe5b60b9b5af8cf0338e9db5532

SHA512
a6b25732bed86a02cbd4142aea38bb55cc04899dab4e2b58eea8733d3d5ec1c1846b572fd2edb2ce70d86c8a7d4357c20272788f1c666baaa469525dbb02abd5

Download Submit
memory/1720-69-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-78-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-67-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-82-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-68-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-81-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-70-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-71-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-72-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-73-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-74-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-76-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-77-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-75-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-79-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1720-80-0x0000000000090000-0x00000000001D1000-memory.dmp

Filesize
1.3MB

Download
memory/1764-26-0x00000000061D0000-0x00000000062A6000-memory.dmp

Filesize
856KB

Download
memory/1764-21-0x00000000061D0000-0x00000000062A6000-memory.dmp

Filesize
856KB

Download
memory/2132-27-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-47-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-56-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-55-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-54-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-46-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-45-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-44-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-42-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-41-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-40-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-39-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-38-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-37-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-36-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-35-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-33-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-66-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-58-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-48-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-61-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-57-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-49-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-31-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-43-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-28-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-29-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-23-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-34-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-32-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-30-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-25-0x0000000000170000-0x00000000002B1000-memory.dmp

Filesize
1.3MB

Download
memory/2332-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-12-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-11-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-6-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-7-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-8-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-9-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-10-0x0000000001D80000-0x0000000001E56000-memory.dmp

Filesize
856KB

Download
memory/2332-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads