modiloader | 4fe2982a52d3d315432d45ac13c6e0025c8dd69ea10da7916ab141833c27417b

Analysis

max time kernel
169s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f14c963165d9a014e8403581ad8f503.exe
Size

812KB
MD5

1f14c963165d9a014e8403581ad8f503
SHA1

b86ba60b11919afbe5b7365d37ea6fc899972800
SHA256

4fe2982a52d3d315432d45ac13c6e0025c8dd69ea10da7916ab141833c27417b
SHA512

0c0bf955e34d7e1e317f7db4f67c38a9067299255b01613adda01a5e90e69b65f9eb61406955da2751f7c24e8312c14cb76fa4a5de93577ed2bb6431f4720530
SSDEEP

12288:4YknjLpcBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjlcr+8lUCpeZM3BDhPC5u/G

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxpTXK8W.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	deeaj.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral2/memory/836-4-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/3112-8-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/3112-7-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/files/0x000600000002322e-22.dat	modiloader_stage2
behavioral2/memory/3008-49-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2
behavioral2/files/0x0006000000023236-52.dat	modiloader_stage2
behavioral2/memory/3112-54-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/1740-60-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/3112-105-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	bxpTXK8W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	1f14c963165d9a014e8403581ad8f503.exe

Executes dropped EXE 9 IoCs

pid	Process
3028	bxpTXK8W.exe
3008	akhost.exe
2944	deeaj.exe
1748	akhost.exe
1740	bkhost.exe
3788	bkhost.exe
4808	ckhost.exe
4680	dkhost.exe
3060	ekhost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3112-0-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3112-1-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3112-5-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3112-8-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3112-7-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3112-54-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3788-55-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3788-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3788-61-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3788-64-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3788-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3788-65-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3112-105-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /J"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /g"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /w"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /x"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /P"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /X"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /q"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /j"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /z"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /a"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /o"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /H"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /v"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /L"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /Q"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /W"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /F"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /I"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /K"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /R"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /E"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /B"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /d"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /c"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /Y"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /h"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /e"	bxpTXK8W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /u"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /e"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /y"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /N"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /S"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /O"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /n"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /p"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /l"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /A"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /T"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /b"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /Z"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /f"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /V"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /r"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /D"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /M"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /m"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /s"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /U"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /G"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /C"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /k"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /t"	deeaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeaj = "C:\\Users\\Admin\\deeaj.exe /i"	deeaj.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	akhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	akhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bkhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bkhost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 3008 set thread context of 1748	3008	akhost.exe	104
PID 1740 set thread context of 3788	1740	bkhost.exe	108
PID 4680 set thread context of 3412	4680	dkhost.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	4808	WerFault.exe	109

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4844	tasklist.exe
3228	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	bxpTXK8W.exe
3028	bxpTXK8W.exe
3028	bxpTXK8W.exe
3028	bxpTXK8W.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
1748	akhost.exe
1748	akhost.exe
2944	deeaj.exe
2944	deeaj.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
3788	bkhost.exe
3788	bkhost.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
2944	deeaj.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
1748	akhost.exe
2944	deeaj.exe
2944	deeaj.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	tasklist.exe
Token: SeDebugPrivilege	4680	dkhost.exe
Token: SeDebugPrivilege	3228	tasklist.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3112	1f14c963165d9a014e8403581ad8f503.exe
3028	bxpTXK8W.exe
2944	deeaj.exe
3060	ekhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 836 wrote to memory of 3112	836	1f14c963165d9a014e8403581ad8f503.exe	91
PID 3112 wrote to memory of 3028	3112	1f14c963165d9a014e8403581ad8f503.exe	92
PID 3112 wrote to memory of 3028	3112	1f14c963165d9a014e8403581ad8f503.exe	92
PID 3112 wrote to memory of 3028	3112	1f14c963165d9a014e8403581ad8f503.exe	92
PID 3112 wrote to memory of 3008	3112	1f14c963165d9a014e8403581ad8f503.exe	95
PID 3112 wrote to memory of 3008	3112	1f14c963165d9a014e8403581ad8f503.exe	95
PID 3112 wrote to memory of 3008	3112	1f14c963165d9a014e8403581ad8f503.exe	95
PID 3028 wrote to memory of 2944	3028	bxpTXK8W.exe	97
PID 3028 wrote to memory of 2944	3028	bxpTXK8W.exe	97
PID 3028 wrote to memory of 2944	3028	bxpTXK8W.exe	97
PID 3028 wrote to memory of 1684	3028	bxpTXK8W.exe	98
PID 3028 wrote to memory of 1684	3028	bxpTXK8W.exe	98
PID 3028 wrote to memory of 1684	3028	bxpTXK8W.exe	98
PID 1684 wrote to memory of 4844	1684	cmd.exe	100
PID 1684 wrote to memory of 4844	1684	cmd.exe	100
PID 1684 wrote to memory of 4844	1684	cmd.exe	100
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3008 wrote to memory of 1748	3008	akhost.exe	104
PID 3112 wrote to memory of 1740	3112	1f14c963165d9a014e8403581ad8f503.exe	105
PID 3112 wrote to memory of 1740	3112	1f14c963165d9a014e8403581ad8f503.exe	105
PID 3112 wrote to memory of 1740	3112	1f14c963165d9a014e8403581ad8f503.exe	105
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 1740 wrote to memory of 3788	1740	bkhost.exe	108
PID 3112 wrote to memory of 4808	3112	1f14c963165d9a014e8403581ad8f503.exe	109
PID 3112 wrote to memory of 4808	3112	1f14c963165d9a014e8403581ad8f503.exe	109
PID 3112 wrote to memory of 4808	3112	1f14c963165d9a014e8403581ad8f503.exe	109
PID 3112 wrote to memory of 4680	3112	1f14c963165d9a014e8403581ad8f503.exe	113
PID 3112 wrote to memory of 4680	3112	1f14c963165d9a014e8403581ad8f503.exe	113
PID 3112 wrote to memory of 4680	3112	1f14c963165d9a014e8403581ad8f503.exe	113
PID 4680 wrote to memory of 3412	4680	dkhost.exe	115
PID 4680 wrote to memory of 3412	4680	dkhost.exe	115
PID 4680 wrote to memory of 3412	4680	dkhost.exe	115
PID 4680 wrote to memory of 3412	4680	dkhost.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 2944 wrote to memory of 3412	2944	deeaj.exe	115
PID 3112 wrote to memory of 3060	3112	1f14c963165d9a014e8403581ad8f503.exe	117
PID 3112 wrote to memory of 3060	3112	1f14c963165d9a014e8403581ad8f503.exe	117
PID 3112 wrote to memory of 3060	3112	1f14c963165d9a014e8403581ad8f503.exe	117
PID 3112 wrote to memory of 4996	3112	1f14c963165d9a014e8403581ad8f503.exe	122
PID 3112 wrote to memory of 4996	3112	1f14c963165d9a014e8403581ad8f503.exe	122

C:\Users\Admin\AppData\Local\Temp\1f14c963165d9a014e8403581ad8f503.exe
"C:\Users\Admin\AppData\Local\Temp\1f14c963165d9a014e8403581ad8f503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\1f14c963165d9a014e8403581ad8f503.exe
  1f14c963165d9a014e8403581ad8f503.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\bxpTXK8W.exe
    C:\Users\Admin\bxpTXK8W.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\deeaj.exe
      "C:\Users\Admin\deeaj.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
- - C:\Users\Admin\akhost.exe
    C:\Users\Admin\akhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\akhost.exe
      akhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:1748
- - C:\Users\Admin\bkhost.exe
    C:\Users\Admin\bkhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\bkhost.exe
      bkhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:3788
- - C:\Users\Admin\ckhost.exe
    C:\Users\Admin\ckhost.exe
    3⤵
    - Executes dropped EXE
    PID:4808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 396
      4⤵
      Program crash
      PID:1580
- - C:\Users\Admin\dkhost.exe
    C:\Users\Admin\dkhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3412
- - C:\Users\Admin\ekhost.exe
    C:\Users\Admin\ekhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 1f14c963165d9a014e8403581ad8f503.exe
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4808 -ip 4808
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\akhost.exe

Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
C:\Users\Admin\bkhost.exe

Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
C:\Users\Admin\bxpTXK8W.exe

Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
C:\Users\Admin\ckhost.exe

Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
C:\Users\Admin\deeaj.exe

Filesize
184KB

MD5
50b59a5d32579d8035935c74696b4ace

SHA1
ace165c484e84f45a1054a51dd1cdd1cec79ca64

SHA256
30a14c36293b7721c51372feb4c41da8ada650e2e81360db636ea2039511c3f7

SHA512
60e719af0c15b74d12a61b2c92343ed60897a2354c3f4a734619b111e00224b2f33853d0ca4728e34d5085ec071976fae072bfd86ad41db98b2e823806e7c3c9

Download Submit
C:\Users\Admin\dkhost.exe

Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
C:\Users\Admin\ekhost.exe

Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
memory/836-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1740-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-42-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-50-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3008-49-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3112-54-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-105-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-5-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-1-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3112-7-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3788-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3788-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3788-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3788-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3788-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3788-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4680-79-0x0000000002070000-0x00000000020CD000-memory.dmp

Filesize
372KB

Download
memory/4680-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-82-0x0000000002073000-0x0000000002074000-memory.dmp

Filesize
4KB

Download
memory/4680-83-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-86-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-87-0x0000000002070000-0x00000000020CD000-memory.dmp

Filesize
372KB

Download
memory/4680-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-76-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download