Malware Analysis Report

2024-08-06 14:03

Sample ID 240615-mt4dpa1erj
Target hesaphareketi01.cmd
SHA256 6ff59a7a9bb26552d874bf03ffd04b7c152184e443d09f79a4f2459f8a04dd55
Tags
modiloader trojan execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ff59a7a9bb26552d874bf03ffd04b7c152184e443d09f79a4f2459f8a04dd55

Threat Level: Known bad

The file hesaphareketi01.cmd was found to be: Known bad.

Malicious Activity Summary

modiloader trojan execution persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 10:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 10:46

Reported

2024-06-15 10:48

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2884 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2884 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2884 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1132 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1132 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1132 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2884 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2632 wrote to memory of 2596 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2632 wrote to memory of 2596 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2632 wrote to memory of 2596 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2884 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2884 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2884 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2884 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2884 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2884 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2884 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 8.8.8.8:53 onedrive.live.com udp
US 8.8.8.8:53 onedrive.live.com udp
US 8.8.8.8:53 onedrive.live.com udp

Files

C:\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

C:\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\Audio.mp4

MD5 2b394a65ee90021cb0990dbdb9ee43bb
SHA1 341e96b53dfb4831dfe1f3334cfb6405df173f52
SHA256 e106349c4b793aac809fd7b11dca2cf1a293fecd584071e9ed0b48cb0bdff857
SHA512 51eae123e69dbf6d040d88f8984b9cdb8de16c0035f05a0c355c3f2d9b372706a7c8e6bf554051842980fb043328350d380c6590ac05cefb0996ddd9a9bd3680

C:\Users\Public\Libraries\Audio.pif

MD5 1a7ed7270f975e1aedd73a800e17a40b
SHA1 6a7b00eb876108cbbcbeaef40448ecf34a518d59
SHA256 a6d0ab763d30f720839b50458cf1e4ab601f5574dd6d835aa17488535e89bd3b
SHA512 289ef44a7e171145232f497075596bdba81f53016a8d16935a20069396f91548e5643b1fab2264613f54cb34c12974529ab01fd6e5b3a78708557df2e00781f7

memory/2616-35-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-38-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-37-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-36-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-34-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-39-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2616-41-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-40-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-43-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-42-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-44-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-46-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-49-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-48-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-47-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-50-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-53-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-56-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-55-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-57-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-54-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-59-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-62-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-63-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-61-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-60-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-65-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-89-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-81-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-75-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-131-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-128-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-125-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-121-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-119-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-116-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-112-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-109-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-105-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-102-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-99-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-96-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-92-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-86-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-82-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-79-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-76-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-74-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-71-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-67-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-66-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-64-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-80-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-78-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-77-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-73-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-72-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-70-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-69-0x00000000031A0000-0x00000000041A0000-memory.dmp

memory/2616-68-0x00000000031A0000-0x00000000041A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 10:46

Reported

2024-06-15 10:48

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows \System32\cmd.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \System32\cmd.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mjhfyqrx = "C:\\Users\\Public\\Mjhfyqrx.url" C:\Users\Public\Libraries\Audio.pif N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 3428 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 3428 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1568 wrote to memory of 2720 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1568 wrote to memory of 2720 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3428 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3768 wrote to memory of 4868 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3768 wrote to memory of 4868 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3428 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2056 wrote to memory of 1036 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2056 wrote to memory of 1036 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3428 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3428 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3428 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3428 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3428 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4656 wrote to memory of 1548 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 1548 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 1548 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4980 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4980 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4980 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4896 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4896 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4896 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4084 N/A C:\Windows \System32\cmd.pif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 4084 N/A C:\Windows \System32\cmd.pif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4328 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 4656 wrote to memory of 4328 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 4656 wrote to memory of 4328 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 4656 wrote to memory of 964 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\SndVol.exe
PID 4656 wrote to memory of 964 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\SndVol.exe
PID 4656 wrote to memory of 964 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\SndVol.exe
PID 4656 wrote to memory of 964 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\SndVol.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi01.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\\Windows \\System32\\cmd.pif"

C:\Windows \System32\cmd.pif

"C:\\Windows \\System32\\cmd.pif"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Mjhfyqrx.PIF

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\System32\SndVol.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.139.11:443 onedrive.live.com tcp
US 8.8.8.8:53 11.139.107.13.in-addr.arpa udp
US 13.107.139.11:443 onedrive.live.com tcp
US 8.8.8.8:53 w9vw9q.db.files.1drv.com udp
US 13.107.42.12:443 w9vw9q.db.files.1drv.com tcp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 8.8.8.8:53 kingmethod.duckdns.org udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.duckdns.org udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 8.8.8.8:53 kingmethod.sytes.net udp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp
US 192.169.69.26:7044 kingmethod.duckdns.org tcp

Files

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\Audio.mp4

MD5 2b394a65ee90021cb0990dbdb9ee43bb
SHA1 341e96b53dfb4831dfe1f3334cfb6405df173f52
SHA256 e106349c4b793aac809fd7b11dca2cf1a293fecd584071e9ed0b48cb0bdff857
SHA512 51eae123e69dbf6d040d88f8984b9cdb8de16c0035f05a0c355c3f2d9b372706a7c8e6bf554051842980fb043328350d380c6590ac05cefb0996ddd9a9bd3680

C:\Users\Public\Libraries\Audio.pif

MD5 1a7ed7270f975e1aedd73a800e17a40b
SHA1 6a7b00eb876108cbbcbeaef40448ecf34a518d59
SHA256 a6d0ab763d30f720839b50458cf1e4ab601f5574dd6d835aa17488535e89bd3b
SHA512 289ef44a7e171145232f497075596bdba81f53016a8d16935a20069396f91548e5643b1fab2264613f54cb34c12974529ab01fd6e5b3a78708557df2e00781f7

memory/4656-29-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-30-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-31-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-28-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-32-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-36-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-57-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-55-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-54-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-35-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-41-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-53-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-52-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-40-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-50-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-48-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-38-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-46-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-37-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-43-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-42-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-34-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-39-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-33-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-84-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-56-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-79-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-51-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-49-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-69-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-47-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-64-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-63-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-45-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-62-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-61-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-44-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-60-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-87-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-92-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-90-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-89-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-88-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-86-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-85-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-83-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-82-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-81-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-80-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-78-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-77-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-76-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-75-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-74-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-73-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-72-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-71-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-70-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-68-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-67-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-66-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-65-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-59-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/4656-58-0x00000000029B0000-0x00000000039B0000-memory.dmp

C:\Windows \System32\cmd.pif

MD5 869640d0a3f838694ab4dfea9e2f544d
SHA1 bdc42b280446ba53624ff23f314aadb861566832
SHA256 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA512 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

C:\Windows \System32\netutils.dll

MD5 b388185438132c448b2136948627e9d3
SHA1 d25dc09705a6bd8f9046835c6b8b45a6d35efc36
SHA256 524f0127d0e96431e8b09725b21fb95ee0394f7ab0f3104458c8190b80accc6a
SHA512 25b88f6d5eed03001cd90cf91dca8b374985e6060884d6bb105c48e1bb6e33b1ab309fdeff65048e21a4daee08331427bdc8b2648cdb16455a19824cba760d40

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_buizujms.3ub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4084-223-0x000002E0D6190000-0x000002E0D61B2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 835be1e963661be69914d4bd89633581
SHA1 3feba808534e76000e83c7efa8fc22f27698ced3
SHA256 23cff52caa9f70d02852431cfc63457452ee0ec358a02ff9aa780689c62b3067
SHA512 cb1259fa8f284fb4a590f2b3421bc840ef5e6fa67f6458fda37e92dadb0ce1e558b2b157273c93f3001f6d8da1d055087ca4fab7fb7afcee1c5bd6e84bcad4cf