Malware Analysis Report

2025-01-22 14:02

Sample ID 240226-13enksaa6x
Target a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7
SHA256 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7
Tags
modiloader njrat hacked evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7

Threat Level: Known bad

The file a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7 was found to be: Known bad.

Malicious Activity Summary

modiloader njrat hacked evasion persistence trojan

ModiLoader Second Stage

njRAT/Bladabindi

ModiLoader, DBatLoader

Modiloader family

ModiLoader Second Stage

Modifies Windows Firewall

Drops startup file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 22:10

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 22:10

Reported

2024-02-26 22:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

njRAT/Bladabindi

trojan njrat

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe C:\Users\Admin\AppData\Roaming\clener.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe C:\Users\Admin\AppData\Roaming\clener.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." C:\Users\Admin\AppData\Roaming\clener.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." C:\Users\Admin\AppData\Roaming\clener.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 2104 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 2104 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 2104 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 2104 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 2104 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 2104 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 2104 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 2320 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 2320 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 2320 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 2320 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2756 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2756 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2756 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2752 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe
PID 2752 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe
PID 2752 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe
PID 2752 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe

"C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"

C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe

"C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe"

C:\Users\Admin\AppData\Local\Temp\clener.exe

"C:\Users\Admin\AppData\Local\Temp\clener.exe"

C:\Users\Admin\AppData\Local\Temp\dlhost.exe

"C:\Users\Admin\AppData\Local\Temp\dlhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dlhost.exe" "dlhost.exe" ENABLE

C:\Users\Admin\AppData\Roaming\clener.exe

"C:\Users\Admin\AppData\Roaming\clener.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\clener.exe" "clener.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 account.shodan.io udp
US 104.18.13.238:443 account.shodan.io tcp
US 8.8.8.8:53 wire.shodan.io udp
US 8.8.8.8:53 kit.fontawesome.com udp
US 8.8.8.8:53 static.shodan.io udp
US 104.18.13.238:443 static.shodan.io tcp
US 104.18.13.238:443 static.shodan.io tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 104.18.12.238:443 static.shodan.io tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 8.8.8.8:53 russia5319.ddns.net udp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 8.8.8.8:53 voip2020.ddns.net udp

Files

\Users\Admin\AppData\Local\Temp\shodanEngine.exe

MD5 2f413a8c1dfdf364c04807bc5fb131f8
SHA1 72afc1b6c1b20fd787cbfd50cfdeaad1bc4d4f81
SHA256 b6e3a1cda525c4a129ab90e97217f324b13c343d92224628b7c365e726c87745
SHA512 f6c921aec38c32b5c21eb229aaf793610408b0027653d1085a96d9f0f0f576ca54734b6124c411061a64776b8825ebd17304ee49a4d78d3aea985ddc46697edf

\Users\Admin\AppData\Local\Temp\clener.exe

MD5 9d0c7f378c611384c5588c3cb330a57e
SHA1 2773d0025791feb56d9bafba1ac6de934508cc40
SHA256 eaa231c6c77b4ae0051431ebe5f10561742701544937921da3568d41e7b577af
SHA512 ebaad0cc84ea696a6d272e3b5072367d61f9cd19d61b6e33757dd5c73adfdb64e3d674c4b054f8560930a6dffdb508680124d0f2e27ae5e499c2e506488f1509

\Users\Admin\AppData\Local\Temp\dlhost.exe

MD5 a8454775f251fc38e87e252cc9854355
SHA1 79c3ba51d940977b881a185f804d63bdfce57f6d
SHA256 5358f382c0588fd21df9a94a8f3b287cf5c0d300af764dd55056be48c51b1528
SHA512 7ef001bc9299c7d8972fbd2a8643f7eb111ef425c72aea3cd3212d58a8c826e0640c7e4edff44516a64708a0493e21182ae663a95bcd761fe6c4262d43527ac7

memory/2104-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1160-22-0x0000000001340000-0x000000000134A000-memory.dmp

memory/1160-23-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2320-24-0x0000000073BF0000-0x000000007419B000-memory.dmp

memory/2320-25-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2756-26-0x0000000073BF0000-0x000000007419B000-memory.dmp

memory/1160-27-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/1160-28-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/1160-29-0x00000000049E0000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab29E0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2A60.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2752-276-0x0000000073BF0000-0x000000007419B000-memory.dmp

memory/2752-277-0x00000000008E0000-0x0000000000920000-memory.dmp

memory/2756-275-0x0000000073BF0000-0x000000007419B000-memory.dmp

memory/1160-495-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2320-496-0x0000000073BF0000-0x000000007419B000-memory.dmp

memory/2320-497-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/1160-498-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/2752-499-0x0000000073BF0000-0x000000007419B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 22:10

Reported

2024-02-26 22:13

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

njRAT/Bladabindi

trojan njrat

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\clener.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe C:\Users\Admin\AppData\Roaming\clener.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe C:\Users\Admin\AppData\Roaming\clener.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." C:\Users\Admin\AppData\Roaming\clener.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." C:\Users\Admin\AppData\Roaming\clener.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\clener.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 1988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 1988 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe
PID 1988 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 1988 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 1988 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\clener.exe
PID 1988 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 1988 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 1988 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe C:\Users\Admin\AppData\Local\Temp\dlhost.exe
PID 2740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 2740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\clener.exe C:\Users\Admin\AppData\Roaming\clener.exe
PID 3684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 3684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 3684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\dlhost.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\clener.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe

"C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"

C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe

"C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe"

C:\Users\Admin\AppData\Local\Temp\clener.exe

"C:\Users\Admin\AppData\Local\Temp\clener.exe"

C:\Users\Admin\AppData\Local\Temp\dlhost.exe

"C:\Users\Admin\AppData\Local\Temp\dlhost.exe"

C:\Users\Admin\AppData\Roaming\clener.exe

"C:\Users\Admin\AppData\Roaming\clener.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dlhost.exe" "dlhost.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\clener.exe" "clener.exe" ENABLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 account.shodan.io udp
US 104.18.12.238:443 account.shodan.io tcp
US 8.8.8.8:53 238.12.18.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 wire.shodan.io udp
US 8.8.8.8:53 kit.fontawesome.com udp
US 8.8.8.8:53 static.shodan.io udp
US 104.18.12.238:443 static.shodan.io tcp
US 104.18.12.238:443 static.shodan.io tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 104.18.12.238:443 static.shodan.io tcp
US 8.8.8.8:53 68.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp
US 8.8.8.8:53 russia5319.ddns.net udp
US 8.8.8.8:53 voip2020.ddns.net udp

Files

C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe

MD5 2f413a8c1dfdf364c04807bc5fb131f8
SHA1 72afc1b6c1b20fd787cbfd50cfdeaad1bc4d4f81
SHA256 b6e3a1cda525c4a129ab90e97217f324b13c343d92224628b7c365e726c87745
SHA512 f6c921aec38c32b5c21eb229aaf793610408b0027653d1085a96d9f0f0f576ca54734b6124c411061a64776b8825ebd17304ee49a4d78d3aea985ddc46697edf

C:\Users\Admin\AppData\Local\Temp\clener.exe

MD5 9d0c7f378c611384c5588c3cb330a57e
SHA1 2773d0025791feb56d9bafba1ac6de934508cc40
SHA256 eaa231c6c77b4ae0051431ebe5f10561742701544937921da3568d41e7b577af
SHA512 ebaad0cc84ea696a6d272e3b5072367d61f9cd19d61b6e33757dd5c73adfdb64e3d674c4b054f8560930a6dffdb508680124d0f2e27ae5e499c2e506488f1509

C:\Users\Admin\AppData\Local\Temp\dlhost.exe

MD5 a8454775f251fc38e87e252cc9854355
SHA1 79c3ba51d940977b881a185f804d63bdfce57f6d
SHA256 5358f382c0588fd21df9a94a8f3b287cf5c0d300af764dd55056be48c51b1528
SHA512 7ef001bc9299c7d8972fbd2a8643f7eb111ef425c72aea3cd3212d58a8c826e0640c7e4edff44516a64708a0493e21182ae663a95bcd761fe6c4262d43527ac7

memory/1988-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3004-31-0x0000000000570000-0x000000000057A000-memory.dmp

memory/3004-32-0x0000000074CF0000-0x00000000754A0000-memory.dmp

memory/2740-33-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/3004-34-0x00000000052F0000-0x0000000005894000-memory.dmp

memory/3004-35-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/3684-36-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/3004-37-0x0000000005270000-0x000000000527A000-memory.dmp

memory/2740-38-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/3684-39-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/3004-40-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3004-41-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3004-42-0x0000000005150000-0x0000000005160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\clener.exe.log

MD5 824ba7b7eed8b900a98dd25129c4cd83
SHA1 54478770b2158000ef365591d42977cb854453a1
SHA256 d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512 ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

memory/1636-75-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/2740-74-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/1636-76-0x0000000000F30000-0x0000000000F40000-memory.dmp

memory/1636-77-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/3004-79-0x0000000074CF0000-0x00000000754A0000-memory.dmp

memory/3684-80-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/3684-81-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/3004-82-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1636-84-0x0000000075560000-0x0000000075B11000-memory.dmp

memory/1636-85-0x0000000000F30000-0x0000000000F40000-memory.dmp