modiloader | 5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d

General

Target

2beadfcc5cc2f725fbaa08d7421d94a4.exe
Size

1.3MB
MD5

2beadfcc5cc2f725fbaa08d7421d94a4
SHA1

86e79742e9a3b43682022331096dc7fce3ba8de6
SHA256

5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
SHA512

f007d49f1a274afaa87b601732f784eb62d438a367b17c24e959990aac61cf270e7d2b8bfd677a6cf00e603a12455e759e44d4ca9c635a9db8a446af2790a8f7

Score

10^/10

modiloader bootkit persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3600-17-0x0000000000650000-0x00000000006AA000-memory.dmp	modiloader_stage1
behavioral2/memory/3600-19-0x0000000000650000-0x00000000006AA000-memory.dmp	modiloader_stage1

Executes dropped EXE 3 IoCs

Processes:

Com.comCom.comCom.com

pid process

992 Com.com
2288 Com.com
3600 Com.com
Drops startup file 1 IoCs

Processes:

Com.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbdCvEVAbP.url Com.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Com.com

description ioc process

File opened for modification \??\PhysicalDrive0 Com.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Com.com

description pid process target process

PID 2288 set thread context of 3600 2288 Com.com Com.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2136 PING.EXE

pid	process
992	Com.com
2288	Com.com
3600	Com.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbdCvEVAbP.url	Com.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Com.com

description	pid	process	target process
PID 2288 set thread context of 3600	2288	Com.com	Com.com

pid	process
2136	PING.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2beadfcc5cc2f725fbaa08d7421d94a4.execmd.execmd.exeCom.comCom.com

description	pid	process	target process
PID 8 wrote to memory of 3824	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 8 wrote to memory of 3824	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 8 wrote to memory of 3824	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 8 wrote to memory of 932	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 8 wrote to memory of 932	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 8 wrote to memory of 932	8	2beadfcc5cc2f725fbaa08d7421d94a4.exe	cmd.exe
PID 932 wrote to memory of 1380	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 1380	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 1380	932	cmd.exe	cmd.exe
PID 1380 wrote to memory of 3624	1380	cmd.exe	findstr.exe
PID 1380 wrote to memory of 3624	1380	cmd.exe	findstr.exe
PID 1380 wrote to memory of 3624	1380	cmd.exe	findstr.exe
PID 1380 wrote to memory of 992	1380	cmd.exe	Com.com
PID 1380 wrote to memory of 992	1380	cmd.exe	Com.com
PID 1380 wrote to memory of 992	1380	cmd.exe	Com.com
PID 1380 wrote to memory of 2136	1380	cmd.exe	PING.EXE
PID 1380 wrote to memory of 2136	1380	cmd.exe	PING.EXE
PID 1380 wrote to memory of 2136	1380	cmd.exe	PING.EXE
PID 992 wrote to memory of 2288	992	Com.com	Com.com
PID 992 wrote to memory of 2288	992	Com.com	Com.com
PID 992 wrote to memory of 2288	992	Com.com	Com.com
PID 2288 wrote to memory of 3600	2288	Com.com	Com.com
PID 2288 wrote to memory of 3600	2288	Com.com	Com.com
PID 2288 wrote to memory of 3600	2288	Com.com	Com.com
PID 2288 wrote to memory of 3600	2288	Com.com	Com.com
PID 2288 wrote to memory of 3600	2288	Com.com	Com.com

C:\Users\Admin\AppData\Local\Temp\2beadfcc5cc2f725fbaa08d7421d94a4.exe
"C:\Users\Admin\AppData\Local\Temp\2beadfcc5cc2f725fbaa08d7421d94a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo qmAzSiYcZ
2⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Appare.xlsx
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NNBysubwvrLxaUtgPyscanjHImKOLfrklLrHmxtYnJkPBlLmAtZSCBEfATvRcJfuZmlHQbPxqaXJhbunOkhHdkJIuOiFXhCPxtPwZrIrgERpEVwrNYelcIQOQCBeflvNQifoHtmLCpzLzArlMr$" Battito.vob
4⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
Com.com Scolpita.xlm
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com Scolpita.xlm
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3600

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Appare.xlsx
MD5
a13afe991cfa864cfa395d285d6d60ea

SHA1
47af6e056ceab5a46429a5d2353b0cc0e9a3abd4

SHA256
b6a281e01d592211564c9c2990508b8c5f85b354f8b3f5cc33843e56b4b11f7f

SHA512
ba93b9d86126ebebbea7e09cc9db686ad7f82581088e6ffae5f77a2914e2fba06a15fcdfb6f7f34d74d329dd6b9a20fc9557f04f528cd5895ae75c643e061c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Battito.vob
MD5
0004b273a3cf1b1e75c61418cf9313a1

SHA1
84e37fbf2cf58540e9b2e693532ee1458e0dd5e2

SHA256
f74e8a7529eefb2a080b2ccfaf88b6b611ccd50690735b705554288653184d9d

SHA512
6301cb796dad87876a575bf68821ad32901f93bfa352f42bdc63ecc9f06425bd95da38b1edb92b996bbb45baa8d40c4e5bf5fec3bebb5dabb3f35e8f38acd1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Scolpita.xlm
MD5
6f2323120ea70a9789b6b2fe9aafd13d

SHA1
a5f3337fa57b85550214dc3c48b0677c3cc89f17

SHA256
1d1dd3cc8df171852c2cdceb0225b96993a6fecc37e123f64776190d5f4b7950

SHA512
469ad5b7cad03d45cb0526c8afebf56a978d6d25e97d4525b73dc66a6831215d30b24de7fb22274e24714fba8b02c9b68d17aa415af4a6a9446e8c14d0a62a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Solitario.rtf
MD5
53187ea0178ac7111713ec0574f44d62

SHA1
1e8c1b2c250b311d778c5e41a31f1bc5e1a3af11

SHA256
36283b3a0dd86d56793fb77c9e3cd802d9bb7e222c35aabd92ffa3dd2017dd94

SHA512
0dc81e5d18526b67c3215d68d60cec17ae3310886f5c7470c0cb00c2170f1a0c751debee3e090c1159b2a004f26363659ccc3acefe916399b690c4c490b7f834

Download Submit
memory/932-3-0x0000000000000000-mapping.dmp

Download
memory/992-8-0x0000000000000000-mapping.dmp

Download
memory/1380-5-0x0000000000000000-mapping.dmp

Download
memory/2136-10-0x0000000000000000-mapping.dmp

Download
memory/2288-12-0x0000000000000000-mapping.dmp

Download
memory/2288-16-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3600-17-0x0000000000650000-0x00000000006AA000-memory.dmp

Filesize
360KB

Download
memory/3600-19-0x0000000000650000-0x00000000006AA000-memory.dmp

Filesize
360KB

Download
memory/3624-6-0x0000000000000000-mapping.dmp

Download
memory/3824-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing