modiloader | 4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7

Analysis

max time kernel
126s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
22-03-2021 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b305d95fa833495eca1fa9ab824a25e0.exe
Size

5.2MB
MD5

b305d95fa833495eca1fa9ab824a25e0
SHA1

18a87991e98013678713cf231f37787ab0c87512
SHA256

4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7
SHA512

51ac574dd06ae8d267f400005b1c698fd2c3f1a50dc27afcc554bf7e836046f0fea6808f8e4cc4ebc827530bdbe6bc3cd949c27672e7770070e3aafdaa42110f

Score

10^/10

modiloader bootkit persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/472-28-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1
behavioral1/memory/472-29-0x0000000000443144-mapping.dmp	modiloader_stage1
behavioral1/memory/472-30-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1

Executes dropped EXE 2 IoCs

Processes:

dowbuxaafml.comdowbuxaafml.com

pid process

1032 dowbuxaafml.com
1520 dowbuxaafml.com
Loads dropped DLL 1 IoCs

Processes:

dowbuxaafml.com

pid process

1032 dowbuxaafml.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

notepad.exe

description ioc process

File opened for modification \??\PhysicalDrive0 notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dowbuxaafml.com

description pid process target process

PID 1520 set thread context of 472 1520 dowbuxaafml.com notepad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1856 PING.EXE
1216 PING.EXE
1528 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

dowbuxaafml.com

pid process

1032 dowbuxaafml.com
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dowbuxaafml.comdowbuxaafml.com

pid process

1032 dowbuxaafml.com
1032 dowbuxaafml.com
1520 dowbuxaafml.com
1520 dowbuxaafml.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	notepad.exe

description	pid	process	target process
PID 1520 set thread context of 472	1520	dowbuxaafml.com	notepad.exe

pid	process
1856	PING.EXE
1216	PING.EXE
1528	PING.EXE

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

dowbuxaafml.comdowbuxaafml.com

pid	process
1032	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

dowbuxaafml.comdowbuxaafml.com

pid	process
1032	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1032	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com
1520	dowbuxaafml.com

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

b305d95fa833495eca1fa9ab824a25e0.execmd.execmd.exedowbuxaafml.comdowbuxaafml.com

description	pid	process	target process
PID 1740 wrote to memory of 1988	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1740 wrote to memory of 1988	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1740 wrote to memory of 1988	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1740 wrote to memory of 1964	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1740 wrote to memory of 1964	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1740 wrote to memory of 1964	1740	b305d95fa833495eca1fa9ab824a25e0.exe	cmd.exe
PID 1964 wrote to memory of 1832	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1832	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1832	1964	cmd.exe	cmd.exe
PID 1832 wrote to memory of 1856	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1856	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1856	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1824	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1824	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1824	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1504	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1504	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1504	1832	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1032	1832	cmd.exe	dowbuxaafml.com
PID 1832 wrote to memory of 1032	1832	cmd.exe	dowbuxaafml.com
PID 1832 wrote to memory of 1032	1832	cmd.exe	dowbuxaafml.com
PID 1832 wrote to memory of 1032	1832	cmd.exe	dowbuxaafml.com
PID 1832 wrote to memory of 1216	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1216	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1216	1832	cmd.exe	PING.EXE
PID 1032 wrote to memory of 1520	1032	dowbuxaafml.com	dowbuxaafml.com
PID 1032 wrote to memory of 1520	1032	dowbuxaafml.com	dowbuxaafml.com
PID 1032 wrote to memory of 1520	1032	dowbuxaafml.com	dowbuxaafml.com
PID 1032 wrote to memory of 1520	1032	dowbuxaafml.com	dowbuxaafml.com
PID 1832 wrote to memory of 1528	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1528	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1528	1832	cmd.exe	PING.EXE
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe
PID 1520 wrote to memory of 472	1520	dowbuxaafml.com	notepad.exe

C:\Users\Admin\AppData\Local\Temp\b305d95fa833495eca1fa9ab824a25e0.exe
"C:\Users\Admin\AppData\Local\Temp\b305d95fa833495eca1fa9ab824a25e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo xbghltrocu
2⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < pxcljaquz.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\PING.EXE
ping -n 1 duzihnfxa
4⤵
- Runs ping.exe
PID:1856

C:\Windows\system32\certutil.exe
certutil -decode yhecylzwzug.com dowbuxaafml.com
4⤵
PID:1824

C:\Windows\system32\certutil.exe
certutil -decode vctcuhs.com jwpeqie.com
4⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
dowbuxaafml.com jwpeqie.com
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwpeqie.com"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
- Writes to the Master Boot Record (MBR)
PID:472

C:\Windows\system32\PING.EXE
ping -n 1 duzihnfxa
4⤵
- Runs ping.exe
PID:1216

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\crwoewlcvehk.com
MD5
6b56d8e939b35f2f576bc19bcd5bd4bc

SHA1
70163bd1fb51e60edaf6a5eee029902f1adc0fb3

SHA256
497527b85e287c573c75b6d4697c01ecd1d39a60c6729ab8cb7fa5e08e3813f3

SHA512
4ee2549425c533f107b6521fb8d3e695039250c2393fa37c60cf692b911dc578d6c6a4923dbcb63ea89efe07ab99bf4f7d0c71eddd1c94c7813357a910f2c6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\jwpeqie.com
MD5
b3bf39a799e47dabc1f9bbfc875c3beb

SHA1
c213f0aaf2cb82037d74aa47dfdd05163b8f58a7

SHA256
16a1d90aafa2b3ad392eea747b9d5ece20c59f72099285e9605e8eacc291b291

SHA512
42f375ce1b92528599d37ce69358e07342a231b39058c90cdfe3cefac2fee6fbec81e893ca4068671643a1ab02b7633a5b6fca8de6a1809c48f9a8b9eb0ec6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\kviuahpf.com
MD5
8b73801eca92aa565964e7955979fa0f

SHA1
819947d189c50698adb023e3b2d4da70b8bccb0d

SHA256
f0f55933069518edf43ec78c6f7fff1f78bb701f2ed666979b5ea5febd9a4e95

SHA512
1b927c1c0bf77e11734f5f79a543903e5eb131f1557e96545f89e0df3181afa669251c72a4801047d78fff2aba6ead8e8904a96d6f5b1be7511e8bca4d1638fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pxcljaquz.com
MD5
ea769126afef2db6b4803a1d02c80e59

SHA1
5dca069e32cd5e36bf440de757046f628b95f637

SHA256
166a6abd42e29c20441f8479d7b229bb645d9bb978876240e777c795a3db0104

SHA512
f870f9151110db637f121f0dc2ab03e8f7d9d31ddb7891d29ff67b38d253618cdc400a0732a4ad641fec1bf0d53e295e25ef229157bb07c45bf64bb45e8dd2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vctcuhs.com
MD5
7893426a4fd8580f23a37ae1287f5be9

SHA1
968fe3f180974b39b50447f9ce2ec8847fecc1a7

SHA256
4fa5a55c00871a39396e97f28dab217678188acd6c040d1f85043f403c2f2e2b

SHA512
efd9e58e496534ea2c6014288a48040d1f5f947d99d77b60e05d168d92f1fb225198def5fd26016f7a6adacecd6f462b95a16b4614e9259a8ed813caee08bc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\yhecylzwzug.com
MD5
468700e94b5acaa2a3f3f397797eb77c

SHA1
ac8e8380961148536e567f5b0861e3562c5c13a6

SHA256
91ca23d7ae9492210e92652f79f406f8c5be5debdd31d6ba91cca8e7720b03b9

SHA512
621f3da4d3db5866be441fd8608e90db4cb88dbc30c06b5d694ba45519012d442202e9ece1f7e6878b7534ef2c9cf07f0c60e9638f9ab6be7fbca7f907c2d152

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dowbuxaafml.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/472-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/472-29-0x0000000000443144-mapping.dmp

Download
memory/472-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1032-16-0x0000000000000000-mapping.dmp

Download
memory/1032-19-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1216-18-0x0000000000000000-mapping.dmp

Download
memory/1504-12-0x0000000000000000-mapping.dmp

Download
memory/1504-13-0x00000000FFC61000-0x00000000FFC63000-memory.dmp

Filesize
8KB

Download
memory/1520-22-0x0000000000000000-mapping.dmp

Download
memory/1528-25-0x0000000000000000-mapping.dmp

Download
memory/1740-2-0x0000000140000000-0x0000000140073000-memory.dmp

Filesize
460KB

Download
memory/1740-3-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1824-10-0x00000000FF7A1000-0x00000000FF7A3000-memory.dmp

Filesize
8KB

Download
memory/1824-9-0x0000000000000000-mapping.dmp

Download
memory/1832-7-0x0000000000000000-mapping.dmp

Download
memory/1856-8-0x0000000000000000-mapping.dmp

Download
memory/1964-5-0x0000000000000000-mapping.dmp

Download
memory/1988-4-0x0000000000000000-mapping.dmp

Download