modiloader | 2b9ab52795f34af8e45a80c88ebd53c725bcccdab49aee05a8b848566e8c3b28

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7v20201028
submitted
24-02-2021 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e51b30bf9b0c6ac4653a5e0e3d47e53e.exe
Size

1.3MB
MD5

e51b30bf9b0c6ac4653a5e0e3d47e53e
SHA1

284bc580ff365a2c8ae9602e96d8e1a7cbff30b7
SHA256

2b9ab52795f34af8e45a80c88ebd53c725bcccdab49aee05a8b848566e8c3b28
SHA512

47617da1880ef2753d621b0639f1a868f88a945db5176fc2422165f181ec7613e175038c4d74067cd1447f44e3b26263e720a8f3bd302c957c2807cd77e43bce

Score

10^/10

modiloader bootkit persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/940-23-0x00000000000D0000-0x000000000012A000-memory.dmp	modiloader_stage1
behavioral1/memory/940-25-0x00000000000D0000-0x000000000012A000-memory.dmp	modiloader_stage1

Executes dropped EXE 3 IoCs

Processes:

Non.comNon.comNon.com

pid process

1576 Non.com
1440 Non.com
940 Non.com
Drops startup file 1 IoCs

Processes:

Non.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QEGjMUAwgB.url Non.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeNon.comNon.com

pid process

1780 cmd.exe
1576 Non.com
1440 Non.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Non.com

description ioc process

File opened for modification \??\PhysicalDrive0 Non.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Non.com

description pid process target process

PID 1440 set thread context of 940 1440 Non.com Non.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1544 PING.EXE

pid	process
1576	Non.com
1440	Non.com
940	Non.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QEGjMUAwgB.url	Non.com

pid	process
1780	cmd.exe
1576	Non.com
1440	Non.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Non.com

description	pid	process	target process
PID 1440 set thread context of 940	1440	Non.com	Non.com

pid	process
1544	PING.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e51b30bf9b0c6ac4653a5e0e3d47e53e.execmd.execmd.exeNon.comNon.com

description	pid	process	target process
PID 1096 wrote to memory of 2032	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 2032	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 2032	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 2032	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	e51b30bf9b0c6ac4653a5e0e3d47e53e.exe	cmd.exe
PID 1928 wrote to memory of 1780	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1780	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1780	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 1780	1928	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1472	1780	cmd.exe	findstr.exe
PID 1780 wrote to memory of 1472	1780	cmd.exe	findstr.exe
PID 1780 wrote to memory of 1472	1780	cmd.exe	findstr.exe
PID 1780 wrote to memory of 1472	1780	cmd.exe	findstr.exe
PID 1780 wrote to memory of 1576	1780	cmd.exe	Non.com
PID 1780 wrote to memory of 1576	1780	cmd.exe	Non.com
PID 1780 wrote to memory of 1576	1780	cmd.exe	Non.com
PID 1780 wrote to memory of 1576	1780	cmd.exe	Non.com
PID 1780 wrote to memory of 1544	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 1544	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 1544	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 1544	1780	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1440	1576	Non.com	Non.com
PID 1576 wrote to memory of 1440	1576	Non.com	Non.com
PID 1576 wrote to memory of 1440	1576	Non.com	Non.com
PID 1576 wrote to memory of 1440	1576	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com
PID 1440 wrote to memory of 940	1440	Non.com	Non.com

C:\Users\Admin\AppData\Local\Temp\e51b30bf9b0c6ac4653a5e0e3d47e53e.exe
"C:\Users\Admin\AppData\Local\Temp\e51b30bf9b0c6ac4653a5e0e3d47e53e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo qyyLS
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Sgomento.tif
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^QqBsvmtgayDPlBGoifNnIYcxnIYtBGVoHYzXYQxIMnLKaVHFkmOzaNxRFiTNBqNLlxijiJpdUyMlhKwDqzSe$" Pei.vss
4⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
Non.com Alito.pdf
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com Alito.pdf
5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:940

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Alito.pdf
MD5
25c3460865886a2894a5dfd3307ae0ac

SHA1
18768d293fea70582967982e1cd9fb49460fae57

SHA256
0476c8b596f00aacb06f65078c815c498e4ce04dc098d06a3fd19e04089fe6fc

SHA512
6e70933663b115185ae3b70210388a74b86ac92d5da6295af9fb9c1cfde7154b9a5d6437597f5811f353bb4813c1e7a3c0262a6bccac1270caa2566529b24862

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Pei.vss
MD5
0aad7d67f65e584ffae5213339cfd595

SHA1
566e38274ca65b8d0f44f3d413e25d94c2ec113e

SHA256
c5a8d3e633e55f2c64589c7c7f738959c41ed97000dcfaf145b11d1a6e460abb

SHA512
44f548ddb0b5f931e1e2d5dbe598ca70f8922ec2a47250cbbe07246bbf64968c93795660f39e908cfb1f4ce7ce8a1abc71e45a8f22340abc2d1a1702401dfeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Perisce.vsdm
MD5
9dab793d81f752ed646e201042925518

SHA1
a699f67b61214f6e137fda99109c67047f0c9235

SHA256
51c10c0a6d5d6a7a4279ba3718a0e6e70e3d8549446e71c9bdad242513dda3f1

SHA512
ffd4c09e7175602b65411aa1b6696cb39f41e18ebcb2a6b4b5a967ed4cc321b86bed59942b7d1f35bf1ee3febf90a2cb34f9d4f495beee93fbb60e5c7c1106c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Sgomento.tif
MD5
1bed7a45b2588ecc6b0eb7d228e57a5f

SHA1
2e10dd2734c6edff8b1a28774c8ec53ee73452df

SHA256
a3df866e5e115e3c79235533712b1c87c7416915ff2248d5d1cc4fcc68d24874

SHA512
e17771098eaf67e2575bd26516fab3dbb71d4d5de69975839755f0de047a7a7c920960ee2c8893796ed6e9bea8988d1ae96aafeb7629673a726cc145f5074626

Download Submit
\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/940-23-0x00000000000D0000-0x000000000012A000-memory.dmp

Filesize
360KB

Download
memory/940-25-0x00000000000D0000-0x000000000012A000-memory.dmp

Filesize
360KB

Download
memory/1096-2-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1440-22-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1440-17-0x0000000000000000-mapping.dmp

Download
memory/1472-7-0x0000000000000000-mapping.dmp

Download
memory/1544-13-0x0000000000000000-mapping.dmp

Download
memory/1576-10-0x0000000000000000-mapping.dmp

Download
memory/1780-6-0x0000000000000000-mapping.dmp

Download
memory/1928-4-0x0000000000000000-mapping.dmp

Download
memory/2032-3-0x0000000000000000-mapping.dmp

Download