modiloader | 2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

General

Target

0f559c7ea254285bab84e60d2a5e8037.exe
Size

922KB
MD5

0f559c7ea254285bab84e60d2a5e8037
SHA1

388cfbde34fcc37f5f334ef39d29b5f3e655fed0
SHA256

2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672
SHA512

9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4080-124-0x00000000021A1000-0x00000000021B5000-memory.dmp	modiloader_stage1
behavioral2/memory/1956-139-0x0000000002A91000-0x0000000002AA5000-memory.dmp	modiloader_stage1

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1956-144-0x0000000003A61000-0x0000000003A78000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
4080	fodhelper.exe
636	fodhelper.exe
1956	fodhelper.exe
1240	fodhelper.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 4080 set thread context of 636	4080	fodhelper.exe	74
PID 1956 set thread context of 1240	1956	fodhelper.exe	78

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
896	schtasks.exe
3664	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0f559c7ea254285bab84e60d2a5e8037.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0f559c7ea254285bab84e60d2a5e8037.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	68
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	69
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	69
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	69
PID 4080 wrote to memory of 636	4080	fodhelper.exe	74
PID 4080 wrote to memory of 636	4080	fodhelper.exe	74
PID 4080 wrote to memory of 636	4080	fodhelper.exe	74
PID 4080 wrote to memory of 636	4080	fodhelper.exe	74
PID 4080 wrote to memory of 636	4080	fodhelper.exe	74
PID 636 wrote to memory of 3664	636	fodhelper.exe	75
PID 636 wrote to memory of 3664	636	fodhelper.exe	75
PID 636 wrote to memory of 3664	636	fodhelper.exe	75
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	78
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	78
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	78
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	78
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	78

C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
"C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:896

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3664

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1956-139-0x0000000002A91000-0x0000000002AA5000-memory.dmp

Filesize
80KB

Download
memory/1956-144-0x0000000003A61000-0x0000000003A78000-memory.dmp

Filesize
92KB

Download
memory/1956-143-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/1956-140-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/3564-117-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3564-120-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3564-119-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3616-115-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/4080-125-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4080-124-0x00000000021A1000-0x00000000021B5000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads