modiloader | c21813578b8a81179a7a8c102ca1c7f61a0f025fec21b000fd28f1f531c66358

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669.bat
Size

2.8MB
MD5

0be98dc322d842f3f9952ca41c2fe012
SHA1

a0d32141b0c3bb39ce4f4e6a8d4fb0699341d4e3
SHA256

a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
SHA512

87b4c7bea4e405b9c7f272c4873f648c8ce7ca43543f66e2996b333a2695b90c689d5e31329198a3be8aeea519f39db99408274821bb7066fedb94606ad83b8f
SSDEEP

24576:FYfNclHFdqSgaRDQMErAfBEHuMEIZVx+RCNJXCP+G1dT+pnmSqocVHrO5I8CZ:FqNclHbqS710rAf+uME6AP7xCA

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/2600-34-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-37-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-39-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-46-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-86-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-85-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-82-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-79-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-75-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-74-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-69-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-66-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-64-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-61-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-59-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-56-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-54-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-52-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-49-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-47-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-107-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-105-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-102-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-100-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-45-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-97-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-95-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-93-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-91-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-89-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-87-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-84-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-83-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-80-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-81-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-42-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-77-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-78-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-76-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-72-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-73-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-71-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-70-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-68-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-67-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-65-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-63-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-40-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-62-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-60-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-57-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-58-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-38-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-55-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-53-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-51-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-50-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-48-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-44-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-43-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-41-0x00000000032B0000-0x00000000042B0000-memory.dmp	modiloader_stage2

Executes dropped EXE 17 IoCs

pid	Process
2864	alpha.exe
2964	alpha.exe
2320	kn.exe
2840	alpha.exe
3060	kn.exe
2600	AnyDesk.PIF
2892	alpha.exe
2076	alpha.exe
2220	alpha.pif
1796	alpha.pif
636	alpha.pif
2512	xpha.pif
2276	per.exe
556	per.exe
3012	alpha.pif
1000	alpha.pif
2092	alpha.pif

Loads dropped DLL 9 IoCs

pid	Process
2148	cmd.exe
2148	cmd.exe
2964	alpha.exe
2148	cmd.exe
2840	alpha.exe
2148	cmd.exe
2148	cmd.exe
2392	cmd.exe
636	alpha.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Puyiaiob = "C:\\Users\\Public\\Puyiaiob.url"	AnyDesk.PIF

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1096	esentutl.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2600	AnyDesk.PIF

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	AnyDesk.PIF

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	SndVol.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2716	SndVol.exe
2716	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2148 wrote to memory of 2864	2148	cmd.exe	33
PID 2148 wrote to memory of 2864	2148	cmd.exe	33
PID 2148 wrote to memory of 2864	2148	cmd.exe	33
PID 2864 wrote to memory of 2668	2864	alpha.exe	34
PID 2864 wrote to memory of 2668	2864	alpha.exe	34
PID 2864 wrote to memory of 2668	2864	alpha.exe	34
PID 2148 wrote to memory of 2964	2148	cmd.exe	35
PID 2148 wrote to memory of 2964	2148	cmd.exe	35
PID 2148 wrote to memory of 2964	2148	cmd.exe	35
PID 2964 wrote to memory of 2320	2964	alpha.exe	36
PID 2964 wrote to memory of 2320	2964	alpha.exe	36
PID 2964 wrote to memory of 2320	2964	alpha.exe	36
PID 2148 wrote to memory of 2840	2148	cmd.exe	37
PID 2148 wrote to memory of 2840	2148	cmd.exe	37
PID 2148 wrote to memory of 2840	2148	cmd.exe	37
PID 2840 wrote to memory of 3060	2840	alpha.exe	38
PID 2840 wrote to memory of 3060	2840	alpha.exe	38
PID 2840 wrote to memory of 3060	2840	alpha.exe	38
PID 2148 wrote to memory of 2600	2148	cmd.exe	39
PID 2148 wrote to memory of 2600	2148	cmd.exe	39
PID 2148 wrote to memory of 2600	2148	cmd.exe	39
PID 2148 wrote to memory of 2600	2148	cmd.exe	39
PID 2148 wrote to memory of 2892	2148	cmd.exe	40
PID 2148 wrote to memory of 2892	2148	cmd.exe	40
PID 2148 wrote to memory of 2892	2148	cmd.exe	40
PID 2148 wrote to memory of 2076	2148	cmd.exe	41
PID 2148 wrote to memory of 2076	2148	cmd.exe	41
PID 2148 wrote to memory of 2076	2148	cmd.exe	41
PID 2600 wrote to memory of 2392	2600	AnyDesk.PIF	42
PID 2600 wrote to memory of 2392	2600	AnyDesk.PIF	42
PID 2600 wrote to memory of 2392	2600	AnyDesk.PIF	42
PID 2600 wrote to memory of 2392	2600	AnyDesk.PIF	42
PID 2392 wrote to memory of 1048	2392	cmd.exe	44
PID 2392 wrote to memory of 1048	2392	cmd.exe	44
PID 2392 wrote to memory of 1048	2392	cmd.exe	44
PID 2392 wrote to memory of 1048	2392	cmd.exe	44
PID 2392 wrote to memory of 1096	2392	cmd.exe	45
PID 2392 wrote to memory of 1096	2392	cmd.exe	45
PID 2392 wrote to memory of 1096	2392	cmd.exe	45
PID 2392 wrote to memory of 1096	2392	cmd.exe	45
PID 2392 wrote to memory of 2220	2392	cmd.exe	46
PID 2392 wrote to memory of 2220	2392	cmd.exe	46
PID 2392 wrote to memory of 2220	2392	cmd.exe	46
PID 2392 wrote to memory of 2220	2392	cmd.exe	46
PID 2392 wrote to memory of 1796	2392	cmd.exe	47
PID 2392 wrote to memory of 1796	2392	cmd.exe	47
PID 2392 wrote to memory of 1796	2392	cmd.exe	47
PID 2392 wrote to memory of 1796	2392	cmd.exe	47
PID 2392 wrote to memory of 636	2392	cmd.exe	48
PID 2392 wrote to memory of 636	2392	cmd.exe	48
PID 2392 wrote to memory of 636	2392	cmd.exe	48
PID 2392 wrote to memory of 636	2392	cmd.exe	48
PID 636 wrote to memory of 2512	636	alpha.pif	49
PID 636 wrote to memory of 2512	636	alpha.pif	49
PID 636 wrote to memory of 2512	636	alpha.pif	49
PID 636 wrote to memory of 2512	636	alpha.pif	49
PID 2392 wrote to memory of 3012	2392	cmd.exe	52
PID 2392 wrote to memory of 3012	2392	cmd.exe	52
PID 2392 wrote to memory of 3012	2392	cmd.exe	52
PID 2392 wrote to memory of 3012	2392	cmd.exe	52
PID 2392 wrote to memory of 1000	2392	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:2848
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2668
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
    3⤵
    - Executes dropped EXE
    PID:2320
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
    3⤵
    - Executes dropped EXE
    PID:3060
- C:\Users\Public\Libraries\AnyDesk.PIF
  C:\Users\Public\Libraries\AnyDesk.PIF
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\Libraries\boiaiyuP.cmd" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\esentutl.exe
      C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\esentutl.exe
      C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1096
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1796
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Users\Public\xpha.pif
        
        C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
  - - C:\Windows \SysWOW64\per.exe
      "C:\\Windows \\SysWOW64\\per.exe
      4⤵
      Executes dropped EXE
      PID:2276
  - - C:\Windows \SysWOW64\per.exe
      "C:\Windows \SysWOW64\per.exe"
      4⤵
      Executes dropped EXE
      PID:556
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3012
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1000
  - - C:\Users\Public\alpha.pif
      C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2092
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\System32\SndVol.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2716
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ANYDESKS\logs.dat

Filesize
222B

MD5
9755153de07c5063dcdc2a1880de3d93

SHA1
ae57f75b00347109b94948668fbff2b710cbadc4

SHA256
a8a024b50b6fa1f0927c4735cd7e7ac75e43c03b449a926f39914f6d2428164c

SHA512
a8f99132ce2984660b33f09e437e26a319bfaac703de7a5f54c4d41591052d40fa3f51f3307e6a7fca657f8befbe7a5e68c1bf7ba9d450c126efe08ee9099acc

Download Submit
C:\Users\Public\AnyDesk.jpeg

Filesize
2.0MB

MD5
327ee6dcf81e0c79b5f0d98fa9827d97

SHA1
6855c1d0a5a78b282791317325b63d1ab386180d

SHA256
976d7babcde75ecb4d9b07f3fb406ab28b61c82b4b5ed3d0b73418ac76f56464

SHA512
3896603182283921a240c50ed60d9fae0aecade0536d6d0562759ab5653536576401569a270ae8f8a91f22c01f0e972d3ebba3b09ea44b8b41175a9217f18b77

Download Submit
C:\Users\Public\Libraries\AnyDesk.PIF

Filesize
1.0MB

MD5
35811e8d8969bef5354c7c3e6dbefb27

SHA1
e4696f8af5a54511e89b0153a443c891ffd56511

SHA256
93674e207f913c1e8fa39a6e75807c6865c73feee39e38e7a9747003c8bd22b1

SHA512
61d0e4be16d68775c5b73b52e976fb64d10a6a16a5ddf94312c26947268b378fd04f19242a5d9d281e4f30fcec9def9e60c15819b9428c0660ecc99c067910f0

Download Submit
C:\Users\Public\Libraries\boiaiyuP.cmd

Filesize
60KB

MD5
b87f096cbc25570329e2bb59fee57580

SHA1
d281d1bf37b4fb46f90973afc65eece3908532b2

SHA256
d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

SHA512
72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

Download Submit
C:\Users\Public\alpha.pif

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
C:\Users\Public\xpha.pif

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
C:\Windows \SysWOW64\per.exe

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
memory/2600-93-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-84-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-46-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-86-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-85-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-82-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-79-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-75-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-74-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-69-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-110-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2600-66-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-64-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-61-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-59-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-56-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-54-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-52-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-49-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-47-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-107-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-105-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-102-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-100-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-45-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-97-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-95-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-37-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-91-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-89-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-87-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-39-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-83-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-80-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-81-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-42-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-77-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-78-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-76-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-72-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-73-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-71-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-70-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-68-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-67-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-65-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-63-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-40-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-62-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-60-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-57-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-58-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-38-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-55-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-53-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-51-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-50-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-48-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-34-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-33-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-44-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-43-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/2600-41-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download