modiloader | 153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309fe

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Size

912KB
MD5

0564ba769d20df8f127c1f491e6a5540
SHA1

f4c47f8fd8a402bdd5c05aff882b1dace1633186
SHA256

153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309fe
SHA512

e6b3a837db38293ed6a4cca20af53a2cb0387af61945e9fdcf78da3ba2a8ffa47172ddff1fcf262d23812dc72205bd32156c46215d46a88525986f1afa317fee
SSDEEP

24576:ETzSqlFYcq/ZgmvTZ06L5+JYmm2gackH:ELTCvvt0g4JYNazH

Score

10^/10

modiloader bootkit discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 14 IoCs

resource	yara_rule
behavioral1/memory/2064-2-0x0000000000400000-0x0000000000600000-memory.dmp	modiloader_stage2
behavioral1/memory/2064-50-0x0000000000400000-0x0000000000600000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-54-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-53-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-56-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-55-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-59-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-61-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-81-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2264-120-0x0000000002660000-0x0000000002860000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-121-0x0000000001CD0000-0x0000000001ED0000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-123-0x0000000002710000-0x0000000002910000-memory.dmp	modiloader_stage2
behavioral1/memory/2196-126-0x0000000000400000-0x0000000000600000-memory.dmp	modiloader_stage2
behavioral1/memory/2944-162-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Defenders = "C:\\Windows\\Adobe\\svchost.exe"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Defenders = "C:\\Windows\\Adobe\\svchost.exe"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{863S1OVR-RM0N-8O17-N856-T1Y13646PIUQ}	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{863S1OVR-RM0N-8O17-N856-T1Y13646PIUQ}\StubPath = "C:\\Windows\\Adobe\\svchost.exe s"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	svchost.exe
2944	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1240	svchost.exe
1240	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Defenders = "C:\\Windows\\Adobe\\svchost.exe"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defenders = "C:\\Windows\\Adobe\\svchost.exe"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla Firefox = "C:\\Users\\Admin\\AppData\\Roaming\\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2264 set thread context of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 1972 set thread context of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1900 set thread context of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 2196 set thread context of 2944	2196	svchost.exe	39

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-96-0x0000000013400000-0x00000000134AC000-memory.dmp	upx
behavioral1/memory/1900-90-0x0000000013400000-0x00000000134AC000-memory.dmp	upx
behavioral1/memory/1900-88-0x0000000013400000-0x00000000134AC000-memory.dmp	upx
behavioral1/memory/1900-98-0x0000000013400000-0x00000000134AC000-memory.dmp	upx
behavioral1/memory/1900-97-0x0000000013400000-0x00000000134AC000-memory.dmp	upx
behavioral1/memory/1900-86-0x0000000013400000-0x00000000134AC000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Adobe\	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
File opened for modification	C:\Windows\Adobe\aspr_keys.ini	svchost.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File created	C:\Windows\Adobe\svchost.exe	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
File opened for modification	C:\Windows\Adobe\svchost.exe	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2140	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	WINWORD.EXE
2140	WINWORD.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2140	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	31
PID 2064 wrote to memory of 2140	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	31
PID 2064 wrote to memory of 2140	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	31
PID 2064 wrote to memory of 2140	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	31
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2064 wrote to memory of 2264	2064	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	33
PID 2140 wrote to memory of 2112	2140	WINWORD.EXE	34
PID 2140 wrote to memory of 2112	2140	WINWORD.EXE	34
PID 2140 wrote to memory of 2112	2140	WINWORD.EXE	34
PID 2140 wrote to memory of 2112	2140	WINWORD.EXE	34
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 2264 wrote to memory of 1972	2264	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	35
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1972 wrote to memory of 1900	1972	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	36
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1900 wrote to memory of 1240	1900	153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe	37
PID 1240 wrote to memory of 2196	1240	svchost.exe	38
PID 1240 wrote to memory of 2196	1240	svchost.exe	38
PID 1240 wrote to memory of 2196	1240	svchost.exe	38
PID 1240 wrote to memory of 2196	1240	svchost.exe	38
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39
PID 2196 wrote to memory of 2944	2196	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
"C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2112
- C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
  "C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"
  2⤵
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
    "C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
      C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\Adobe\svchost.exe
        
        "C:\Windows\Adobe\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\Adobe\svchost.exe
        
        "C:\Windows\Adobe\svchost.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DATOS

Filesize
89B

MD5
5db300542d67468d5362caaba3e887a4

SHA1
dd26088995617c09b7a48c91ea84737cbcb50889

SHA256
e7e8a0cd2133818cab542a9df627471c009d785666040b0ac1357e761d3a3bc2

SHA512
fcfd747cd7e1d6265f0da6848a96f6b958b9547d322f258e3598beed08ea8b9d6b11b20deb3eecaa88aa3bd1619b42b53f14aa917f9da130a1c7ae878f676c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KATOS

Filesize
694B

MD5
aafda12798a7703d2a1a61f592ffff6e

SHA1
efa16292a65d420e93176162c0408db6e33f7ec5

SHA256
162d48b7dd4e28f6dc80a0c05383b39a711fa802cc1a13e277052b0e56f0c90b

SHA512
72d8eca2b6db9b1a8dc4a3fde1b2b3b5db21dffa98adbcb4939df4e570f99ab742b8d0ff8908e34fbd116faf1f1e5d3b307bff3e6963fcde892eef37b39d798d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOS

Filesize
9B

MD5
34774b4c926da65296934442c9c9e32d

SHA1
f64b84f5ce198d50acb2f9d440d8fd773ae9a758

SHA256
c51c019e2c00633207e6b6a54a17916b1ba8eaa8fd8dc7fea8782186fd339768

SHA512
c29ec70db4e0fb26393ef171ff9757b8ab4b55c371b319d3c4938c3ee0ba7b564cab1708adb96b7296dc39c4da46a517c3cfabaa9c85608ea5e42d71fad09906

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIMO

Filesize
596KB

MD5
8dd40693b14faf29c94793b24721e68e

SHA1
597f1379d4ace22ef5c91049215776623b9d1da0

SHA256
2612e472301d97777bdf9f86f017005001ab11499d5c9dc758d2cf92357309ae

SHA512
18b56800ec9cddc9b67f4a7ca3ab1489306c2e98bdc2943c2bcfeabe4a2baf3917d80716d72b8d285628a33e45b53f0360387c6fe166f8d911f92f2c2e1f771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOFTAH

Filesize
184B

MD5
99af0bb5007d16a365e2ae40cb70741c

SHA1
8c042874e61ffe0c9f3babba4ef53d75d5fe3ec7

SHA256
ea0019a171c0f43a055a629fbc525d674487b28db2ada272c4f2fda675a58a15

SHA512
52d1dcd5575a4df5a5ad1c2777719e116c5d06fe1425704283af4bb1e65f497a8570fc4536c5426411d8b85544ff447d04ee3ce1068a18cf57cb5ab56b252947

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOFTAHTO

Filesize
156B

MD5
24108b3fbb26e3fa9e62b8cb348f5120

SHA1
fb1e93331cda0b7655d6613adf0a4d2d6ae0e452

SHA256
18a8a374f62dd36f13fc3450f3df919591f5b02f76ac61a54fff9129b2a6b847

SHA512
ad729618683b00d43e50275392f715305f8cf547747e30b669661e2e9a5bcf16c766519f0a4dd8344ae8840142f5fc786d12ec86e8764368a90d0cdd2088e570

Download Submit
C:\Users\Admin\AppData\Local\Temp\XtremeServerSource.dat

Filesize
204KB

MD5
e7c5eebf4b962720cbe57cda5504dd41

SHA1
16d3d39ec88e38a512ca8f6a48436363e40bcb8c

SHA256
30c5ace906db145b107a96a41bdd8c61ab0031b51a8399601b3a0736590d2382

SHA512
73517498dccd1ead189a0bd32dd76cd1974f5f73efd861fd9eef97f254038fadce9a0e6e7f14277d1f823a60c8d95100c3575b3edcf850b37d717f39644891c6

Download Submit
C:\Windows\Adobe\svchost.exe

Filesize
912KB

MD5
0564ba769d20df8f127c1f491e6a5540

SHA1
f4c47f8fd8a402bdd5c05aff882b1dace1633186

SHA256
153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309fe

SHA512
e6b3a837db38293ed6a4cca20af53a2cb0387af61945e9fdcf78da3ba2a8ffa47172ddff1fcf262d23812dc72205bd32156c46215d46a88525986f1afa317fee

Download Submit
memory/1240-118-0x0000000002710000-0x0000000002910000-memory.dmp

Filesize
2.0MB

Download
memory/1240-124-0x0000000002710000-0x0000000002910000-memory.dmp

Filesize
2.0MB

Download
memory/1240-123-0x0000000002710000-0x0000000002910000-memory.dmp

Filesize
2.0MB

Download
memory/1240-117-0x0000000002710000-0x0000000002910000-memory.dmp

Filesize
2.0MB

Download
memory/1240-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-90-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-96-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-88-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-98-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-85-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-86-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-97-0x0000000013400000-0x00000000134AC000-memory.dmp

Filesize
688KB

Download
memory/1900-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-83-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-121-0x0000000001CD0000-0x0000000001ED0000-memory.dmp

Filesize
2.0MB

Download
memory/1972-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-95-0x0000000001CD0000-0x0000000001ED0000-memory.dmp

Filesize
2.0MB

Download
memory/1972-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2064-41-0x0000000003820000-0x0000000003A20000-memory.dmp

Filesize
2.0MB

Download
memory/2064-2-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2064-50-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2064-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2140-51-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/2140-14-0x000000002F5D1000-0x000000002F5D2000-memory.dmp

Filesize
4KB

Download
memory/2140-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2140-16-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/2196-126-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2264-36-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-82-0x0000000002660000-0x0000000002860000-memory.dmp

Filesize
2.0MB

Download
memory/2264-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-61-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-59-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-55-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-56-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-53-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-54-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-28-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-30-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-34-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-38-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-40-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-42-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-120-0x0000000002660000-0x0000000002860000-memory.dmp

Filesize
2.0MB

Download
memory/2264-32-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-39-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-26-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2264-24-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2944-162-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download