modiloader | a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
19-03-2021 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aed29e23f01dab295f973ee35bf42248.exe
Size

6.2MB
MD5

aed29e23f01dab295f973ee35bf42248
SHA1

94a3eccc392cb47d7bc6dd3bf8fd0bf103018e0f
SHA256

a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c
SHA512

1b0ed0797b2e58db3ef5a6318ec7252529b935167cdfd13dc25f59bdc69143d953a1a1e0c4cfd97b89bf2a6b7dd9f2636cfe58835323af545235c192f11f147c

Score

10^/10

modiloader bootkit persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-28-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1
behavioral1/memory/1696-29-0x0000000000443144-mapping.dmp	modiloader_stage1
behavioral1/memory/1696-30-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1

Executes dropped EXE 2 IoCs

Processes:

xazrwdho.comxazrwdho.com

pid process

812 xazrwdho.com
1764 xazrwdho.com
Loads dropped DLL 1 IoCs

Processes:

xazrwdho.com

pid process

812 xazrwdho.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

notepad.exe

description ioc process

File opened for modification \??\PhysicalDrive0 notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xazrwdho.com

description pid process target process

PID 1764 set thread context of 1696 1764 xazrwdho.com notepad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1460 PING.EXE
1164 PING.EXE
748 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

xazrwdho.com

pid process

812 xazrwdho.com
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

xazrwdho.comxazrwdho.com

pid process

812 xazrwdho.com
812 xazrwdho.com
1764 xazrwdho.com
1764 xazrwdho.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	notepad.exe

description	pid	process	target process
PID 1764 set thread context of 1696	1764	xazrwdho.com	notepad.exe

pid	process
1460	PING.EXE
1164	PING.EXE
748	PING.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

xazrwdho.comxazrwdho.com

pid	process
812	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
812	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

xazrwdho.comxazrwdho.com

pid	process
812	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
812	xazrwdho.com
812	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com
1764	xazrwdho.com

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

aed29e23f01dab295f973ee35bf42248.execmd.execmd.exexazrwdho.comxazrwdho.com

description	pid	process	target process
PID 1616 wrote to memory of 1040	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 1616 wrote to memory of 1040	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 1616 wrote to memory of 1040	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 1616 wrote to memory of 268	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 1616 wrote to memory of 268	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 1616 wrote to memory of 268	1616	aed29e23f01dab295f973ee35bf42248.exe	cmd.exe
PID 268 wrote to memory of 740	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 740	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 740	268	cmd.exe	cmd.exe
PID 740 wrote to memory of 1460	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 1460	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 1460	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 1632	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 1632	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 1632	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 1628	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 1628	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 1628	740	cmd.exe	certutil.exe
PID 740 wrote to memory of 812	740	cmd.exe	xazrwdho.com
PID 740 wrote to memory of 812	740	cmd.exe	xazrwdho.com
PID 740 wrote to memory of 812	740	cmd.exe	xazrwdho.com
PID 740 wrote to memory of 812	740	cmd.exe	xazrwdho.com
PID 740 wrote to memory of 1164	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 1164	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 1164	740	cmd.exe	PING.EXE
PID 812 wrote to memory of 1764	812	xazrwdho.com	xazrwdho.com
PID 812 wrote to memory of 1764	812	xazrwdho.com	xazrwdho.com
PID 812 wrote to memory of 1764	812	xazrwdho.com	xazrwdho.com
PID 812 wrote to memory of 1764	812	xazrwdho.com	xazrwdho.com
PID 740 wrote to memory of 748	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 748	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 748	740	cmd.exe	PING.EXE
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe
PID 1764 wrote to memory of 1696	1764	xazrwdho.com	notepad.exe

C:\Users\Admin\AppData\Local\Temp\aed29e23f01dab295f973ee35bf42248.exe
"C:\Users\Admin\AppData\Local\Temp\aed29e23f01dab295f973ee35bf42248.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo fgufbszehq
2⤵
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < takoreojxji.com
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\PING.EXE
ping -n 1 yncqgsr
4⤵
- Runs ping.exe
PID:1460

C:\Windows\system32\certutil.exe
certutil -decode vniftolgessu.com xazrwdho.com
4⤵
PID:1632

C:\Windows\system32\certutil.exe
certutil -decode tcbgfqqmunf.com slouyuhlbs.com
4⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
xazrwdho.com slouyuhlbs.com
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\slouyuhlbs.com"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
- Writes to the Master Boot Record (MBR)
PID:1696

C:\Windows\system32\PING.EXE
ping -n 1 yncqgsr
4⤵
- Runs ping.exe
PID:1164

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cclqywjwf.com
MD5
7d2666fd3bc4a08a1f55ad1b96132763

SHA1
6c33614421f5d644360f5f905fb0f6888ce06bb6

SHA256
f0df14a9bda92028c121c9bb9669bdf5b7ea7dc2c9198345f9cdec1f38eee32f

SHA512
0a392f209a4368a6f78bd93c213a0bd38905d85253c6507de36b5900a32011a29e1b53aecba7208fdc856709875886181bca628980168a3e2032b06a3ed698d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\slouyuhlbs.com
MD5
941406f9458efe5d7f08e4e28427e769

SHA1
c244c7d517d67670df83a76398286d8e013c6b83

SHA256
926bd5958f80fc200a252e8bfe145afeacc579fcecb0aea638e3707a82a9fef7

SHA512
362aa296657a8f66f39d5a82ebfa488474b9081293e68dbc2dd9b97d4c9c60d04f1b2ae1db0095276624a35e744377a3ed127ba1bf6372a085abf46433111ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\takoreojxji.com
MD5
ea817e6d19b525629e9f95923a2b1ae2

SHA1
9c2986bb5a481715e88fd6e1b72094048a8f0590

SHA256
9e1c574c7e11ac37208c4fe8de18234e4b0c13ac5709451d1cdca77d7d904208

SHA512
6dc2d23fb8e9e252d24777a965456556c72a5729dcd726d763abe029ea0641327a97c4c202184b31cff833899858601da8aa002e4ce3e5f9530c6735df9f7429

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcbgfqqmunf.com
MD5
b8a36812837f42ef41768324e8492a13

SHA1
b0bccfb85cf0b4c2a6dafeb25e927315ceea4520

SHA256
f8ecf736cdae332313442ee7b3581067537ac53498dbf7f610bc6408c6eff00e

SHA512
2f58297f38686ac344ba1d665e3adf74e4884e503d11bb5f46b56f340b5bec5bb6767014812e2dc42ceaa058462f83a1f28e19b6018fa6f8755dabe1c4917e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\uagiukxcvsl.com
MD5
5a94a0f9ae6cb477f44c228785440a4f

SHA1
a270ba96b8a46cde35f388e33dacd7fc6cfb7cdf

SHA256
43da6c4c5d1b0921d827fb2b130e186ff247a6d374a3c1b9015aa979ad10a76f

SHA512
c4229620b8624357e6ef20c855efaff326e8d89f324101baf32e5db5cdebe952af6275b1d85a449522cffd43e33ce6c76ebd08cecc7d7584bc5c7ed6dfbe23b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vniftolgessu.com
MD5
468700e94b5acaa2a3f3f397797eb77c

SHA1
ac8e8380961148536e567f5b0861e3562c5c13a6

SHA256
91ca23d7ae9492210e92652f79f406f8c5be5debdd31d6ba91cca8e7720b03b9

SHA512
621f3da4d3db5866be441fd8608e90db4cb88dbc30c06b5d694ba45519012d442202e9ece1f7e6878b7534ef2c9cf07f0c60e9638f9ab6be7fbca7f907c2d152

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xazrwdho.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/268-5-0x0000000000000000-mapping.dmp

Download
memory/740-7-0x0000000000000000-mapping.dmp

Download
memory/748-25-0x0000000000000000-mapping.dmp

Download
memory/812-16-0x0000000000000000-mapping.dmp

Download
memory/812-19-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1040-4-0x0000000000000000-mapping.dmp

Download
memory/1164-18-0x0000000000000000-mapping.dmp

Download
memory/1460-8-0x0000000000000000-mapping.dmp

Download
memory/1616-2-0x0000000140000000-0x0000000140074000-memory.dmp

Filesize
464KB

Download
memory/1616-3-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1628-13-0x00000000FF6A1000-0x00000000FF6A3000-memory.dmp

Filesize
8KB

Download
memory/1628-12-0x0000000000000000-mapping.dmp

Download
memory/1632-10-0x00000000FF401000-0x00000000FF403000-memory.dmp

Filesize
8KB

Download
memory/1632-9-0x0000000000000000-mapping.dmp

Download
memory/1696-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1696-29-0x0000000000443144-mapping.dmp

Download
memory/1696-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1764-22-0x0000000000000000-mapping.dmp

Download