Malware Analysis Report

2024-08-06 14:02

Sample ID 240617-t111gawbpa
Target 17062024_1632_lNV-2024-3626276279.Tar
SHA256 2a852296a5a9851655ab8b12ebbc8c2a265823a56fa6fc67d64eb865b06289ef
Tags
modiloader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a852296a5a9851655ab8b12ebbc8c2a265823a56fa6fc67d64eb865b06289ef

Threat Level: Known bad

The file 17062024_1632_lNV-2024-3626276279.Tar was found to be: Known bad.

Malicious Activity Summary

modiloader persistence spyware stealer trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Script User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 16:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 16:32

Reported

2024-06-17 16:34

Platform

win7-20240419-en

Max time kernel

149s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows \System32\cmd.pif N/A
N/A N/A C:\Windows \System32\cmd.pif N/A
N/A N/A C:\Users\Public\Libraries\flehounE.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enuohelf = "C:\\Users\\Public\\Enuohelf.url" C:\Users\Public\Libraries\Audio.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe" C:\Users\Public\Libraries\flehounE.pif N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\flehounE.pif N/A
N/A N/A C:\Users\Public\Libraries\flehounE.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\flehounE.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2940 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2940 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2560 wrote to memory of 2592 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2560 wrote to memory of 2592 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2560 wrote to memory of 2592 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2940 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2656 wrote to memory of 2704 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2656 wrote to memory of 2704 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2656 wrote to memory of 2704 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2940 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2728 wrote to memory of 2228 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2228 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2228 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2228 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1996 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1996 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1996 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1996 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2748 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2748 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2748 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2748 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1436 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2728 wrote to memory of 1436 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2728 wrote to memory of 1436 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2728 wrote to memory of 1436 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif
PID 2728 wrote to memory of 1552 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\flehounE.pif

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\\Windows \\System32\\cmd.pif"

C:\Windows \System32\cmd.pif

"C:\\Windows \\System32\\cmd.pif"

C:\Windows \System32\cmd.pif

"C:\Windows \System32\cmd.pif"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Enuohelf.PIF

C:\Users\Public\Libraries\flehounE.pif

C:\Users\Public\Libraries\flehounE.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

C:\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\Audio.mp4

MD5 8d6a6f7f28472f54780ace4be5e35f7f
SHA1 93e285f23ef6cb95d3be6c5c4ce3eddcdd0e4201
SHA256 611fbe02cb707477addb2b98bbb193d77f981a4fc61be39b74543f3f43fc5cd1
SHA512 87497486cc166f3c6c43dd05b9bc08c7947c97be03ea2a8edf962c59f3027cdccc1b57d99a55a072e26d7b83e678f67cedad1f54beaa7d3a352556db4fa78744

C:\Users\Public\Libraries\Audio.pif

MD5 3351922e54c2698b80f65bbe11894bb8
SHA1 6121c53dcb4f81a202e393281c53e95de2155219
SHA256 6ad37e5e8fc00d1bb6538d409e3930882ac8bc1e3efdda551ead49edfdba2c42
SHA512 d9ac69966e0ad0ff05fe137a08d0ba211c11dfe5303d032ff3fc337a5302cdab1bbfb9f7153567d8b11acff38c0c433d92dd48925f3bb7824cc572562014bfdc

memory/2728-32-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Windows \System32\cmd.pif

MD5 869640d0a3f838694ab4dfea9e2f544d
SHA1 bdc42b280446ba53624ff23f314aadb861566832
SHA256 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA512 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

\Users\Public\Libraries\flehounE.pif

MD5 3776012e2ef5a5cae6935853e6ca79b2
SHA1 4fc81df94baaaa550473ac9d20763cfb786577ff
SHA256 8e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA512 38811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8

memory/1552-76-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1552-78-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1552-80-0x00000000499C0000-0x0000000049A1C000-memory.dmp

memory/1552-81-0x000000004BE80000-0x000000004BEDA000-memory.dmp

memory/1552-91-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-141-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-139-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-137-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-135-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-133-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-131-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-129-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-127-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-125-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-121-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-119-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-117-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-115-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-113-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-111-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-109-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-107-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-105-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-103-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-101-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-99-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-97-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-95-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-93-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-89-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-87-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-85-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-123-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-83-0x000000004BE80000-0x000000004BED4000-memory.dmp

memory/1552-82-0x000000004BE80000-0x000000004BED4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 16:32

Reported

2024-06-17 16:34

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 3156 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 3156 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2252 wrote to memory of 5084 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2252 wrote to memory of 5084 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4840 wrote to memory of 1920 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4840 wrote to memory of 1920 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3156 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1512 wrote to memory of 1776 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1512 wrote to memory of 1776 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3156 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3156 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3156 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 3156 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3156 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp

Files

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\Audio.mp4

MD5 8d6a6f7f28472f54780ace4be5e35f7f
SHA1 93e285f23ef6cb95d3be6c5c4ce3eddcdd0e4201
SHA256 611fbe02cb707477addb2b98bbb193d77f981a4fc61be39b74543f3f43fc5cd1
SHA512 87497486cc166f3c6c43dd05b9bc08c7947c97be03ea2a8edf962c59f3027cdccc1b57d99a55a072e26d7b83e678f67cedad1f54beaa7d3a352556db4fa78744

C:\Users\Public\Libraries\Audio.pif

MD5 3351922e54c2698b80f65bbe11894bb8
SHA1 6121c53dcb4f81a202e393281c53e95de2155219
SHA256 6ad37e5e8fc00d1bb6538d409e3930882ac8bc1e3efdda551ead49edfdba2c42
SHA512 d9ac69966e0ad0ff05fe137a08d0ba211c11dfe5303d032ff3fc337a5302cdab1bbfb9f7153567d8b11acff38c0c433d92dd48925f3bb7824cc572562014bfdc

memory/4388-28-0x0000000000400000-0x000000000058B000-memory.dmp