Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
06-06-2024 12:20
General
-
Target
7395837492.cmd
-
Size
3.4MB
-
MD5
cc1abc1560d882d5b80ddba1847edf14
-
SHA1
5204ae55dbca8042c18664647618c41758464a0f
-
SHA256
e604eca34f7f438d53b775960ec8ae63d1dbc0472338a3a567d5587b4dfeb71c
-
SHA512
278f10a605c5b19ef62de2e435432e8a1d66cb45873c8b8b5ac0beb04416a365ee57ff2a4dc320e940f36fe5a8e4d5dc0b2ab0302ef475bfeaae6932c542467a
-
SSDEEP
49152:wPqmKNNBLnfBMC+YWrAxOdxVFC/X4/T22ywslPINz/yAScxVss:8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7395837492.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\7395837492.cmd" "C:\\Users\\Public\\Audio.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\7395837492.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c start /min powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Yjvppoyi.PIF3⤵
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif /stext "C:\Users\Admin\AppData\Local\Temp\asarxgwqriclknwvupgchoyz"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif /stext "C:\Users\Admin\AppData\Local\Temp\kuncqzgkeruqmbkhmaswrtsqujqz"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif /stext "C:\Users\Admin\AppData\Local\Temp\voturrrmazmdwhglvkfxugnzuxhahnp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD5ef6475e70444f9bdc87d6f46bc3f1fe9
SHA17d5368e4be2d96d342c748a366c1c61b024be17a
SHA25686e35a96392a2064d98c2e2b8d6b49eb7d07ff22f6c5965bc1d274c1f6c6dad1
SHA51243354140c1d0cb72829a961266da6cce447628848f17f8ba819971ce7f60ec386679ad7538e4b756d5215e3a33fb6a0e958412407e490fa875299f0037a67371
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5m3mg0dx.qtu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\asarxgwqriclknwvupgchoyzFilesize
4KB
MD518b6368b183e546a35847ae24b4b2913
SHA1040545f7ac2c987d2a79b5e7f1cf9ab83bd25923
SHA25654c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af
SHA51268ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698
-
C:\Users\Public\Audio.mp4Filesize
2.4MB
MD57419c06138aa4d9692adfc1399731e94
SHA1762a2bf5e36ecf4fda2552fd466bd0e058d29ea9
SHA256cc6c5e8ef9f60533c5b983545f0036abad1320f894aff3250ec528e55d5fb8f4
SHA5121b4344b44bb5ee9f21a94cc5a7b4e4ebf4741404660de2da70b8504c95ebb4f6572e221ceaf93b6865869f6a78092958b8f9a3dd233dfb5d20afd99e81e6b7a0
-
C:\Users\Public\Libraries\Audio.pifFilesize
1.2MB
MD525d0f1e403cf2130097ae11f9ff493cd
SHA19e3d4e7062e8fff5951018062f471b5b902674c1
SHA2563d9e028b26eacd6302e1a2e6e1914ec9f6ca76824eafbf2ff0cd35be22fbefec
SHA512f3d5755e3848f9a2b004d65f8357dcaa11b07d74b8603ed59baba7325e528ac7252d682d7f1c8334948f88b70746fd7b90ee89eadec2bafe2369586852d86f26
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Windows \System32\cmd.pifFilesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD53ef9e89c8bf16295c84b8c82bf5e1b50
SHA145fb8e0cd06da23564712614481265679369fee3
SHA256e0d3d0cf79d7969da536946de8a7395cab39ddfaca7ba7353aa6544d04209b2e
SHA5120d27d4fe85117003830b69575ea02b7ee67601db7d8b2e422f5f9b72735b9b3d15ab8b81b7a9f4f2b14caf1365d0137d9d437932c4640f97c883d3c7bf24a1c1
-
memory/3160-356-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3160-350-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3180-360-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3180-337-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4132-354-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4132-345-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4588-219-0x000001F9C6FA0000-0x000001F9C6FC2000-memory.dmpFilesize
136KB
-
memory/4788-57-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-68-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-90-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-89-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-88-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-87-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-86-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-85-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-84-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-83-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-81-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-80-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-79-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-78-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-77-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-76-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-75-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-74-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-69-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-67-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-65-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-82-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-62-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-61-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-71-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-73-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-55-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-72-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-54-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-70-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-53-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-91-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-52-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-66-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-51-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-64-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-50-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-63-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-49-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-48-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-60-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-47-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-59-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-46-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-58-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-44-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-43-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-42-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-41-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-40-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-38-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-35-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-56-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-45-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-39-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-33-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-29-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-32-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-31-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-30-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-28-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-37-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-36-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB
-
memory/4788-34-0x0000000002930000-0x0000000003930000-memory.dmpFilesize
16.0MB