modiloader | f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61

General

Target

f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe
Size

1.1MB
MD5

7b98554d2ad0041be3a00121d8fcf9c3
SHA1

187a35c3e84d0b4afef32705987c840f6729e133
SHA256

f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61
SHA512

324abecfd87060a9dd7b7a151eb8502f72123c242dee4ac3387c6d6ba3c92f6a4a452a006e58bf897b1a8af803686c5975e58dfb29bb3bd45aebc810ed264cab

Score

10^/10

modiloader bootkit persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3232-129-0x0000000000600000-0x000000000065A000-memory.dmp	modiloader_stage1
behavioral1/memory/3232-133-0x0000000000600000-0x000000000065A000-memory.dmp	modiloader_stage1

Executes dropped EXE 2 IoCs

Processes:

Ritornata.exe.comRitornata.exe.com

pid process

2956 Ritornata.exe.com
1908 Ritornata.exe.com
Drops startup file 1 IoCs

Processes:

Ritornata.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjVcWskkmD.url Ritornata.exe.com

pid	process
2956	Ritornata.exe.com
1908	Ritornata.exe.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjVcWskkmD.url	Ritornata.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

nslookup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 nslookup.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ritornata.exe.com

description pid process target process

PID 1908 set thread context of 3232 1908 Ritornata.exe.com nslookup.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

684 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Ritornata.exe.comRitornata.exe.com

pid process

2956 Ritornata.exe.com
2956 Ritornata.exe.com
2956 Ritornata.exe.com
1908 Ritornata.exe.com
1908 Ritornata.exe.com
1908 Ritornata.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Ritornata.exe.comRitornata.exe.com

pid process

2956 Ritornata.exe.com
2956 Ritornata.exe.com
2956 Ritornata.exe.com
1908 Ritornata.exe.com
1908 Ritornata.exe.com
1908 Ritornata.exe.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	nslookup.exe

description	pid	process	target process
PID 1908 set thread context of 3232	1908	Ritornata.exe.com	nslookup.exe

pid	process
684	PING.EXE

pid	process
2956	Ritornata.exe.com
2956	Ritornata.exe.com
2956	Ritornata.exe.com
1908	Ritornata.exe.com
1908	Ritornata.exe.com
1908	Ritornata.exe.com

pid	process
2956	Ritornata.exe.com
2956	Ritornata.exe.com
2956	Ritornata.exe.com
1908	Ritornata.exe.com
1908	Ritornata.exe.com
1908	Ritornata.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.execmd.execmd.exeRitornata.exe.comRitornata.exe.com

description	pid	process	target process
PID 3048 wrote to memory of 1804	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	expand.exe
PID 3048 wrote to memory of 1804	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	expand.exe
PID 3048 wrote to memory of 1804	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	expand.exe
PID 3048 wrote to memory of 2164	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	cmd.exe
PID 3048 wrote to memory of 2164	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	cmd.exe
PID 3048 wrote to memory of 2164	3048	f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe	cmd.exe
PID 2164 wrote to memory of 876	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 876	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 876	2164	cmd.exe	cmd.exe
PID 876 wrote to memory of 312	876	cmd.exe	findstr.exe
PID 876 wrote to memory of 312	876	cmd.exe	findstr.exe
PID 876 wrote to memory of 312	876	cmd.exe	findstr.exe
PID 876 wrote to memory of 2956	876	cmd.exe	Ritornata.exe.com
PID 876 wrote to memory of 2956	876	cmd.exe	Ritornata.exe.com
PID 876 wrote to memory of 2956	876	cmd.exe	Ritornata.exe.com
PID 2164 wrote to memory of 684	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 684	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 684	2164	cmd.exe	PING.EXE
PID 2956 wrote to memory of 1908	2956	Ritornata.exe.com	Ritornata.exe.com
PID 2956 wrote to memory of 1908	2956	Ritornata.exe.com	Ritornata.exe.com
PID 2956 wrote to memory of 1908	2956	Ritornata.exe.com	Ritornata.exe.com
PID 1908 wrote to memory of 3232	1908	Ritornata.exe.com	nslookup.exe
PID 1908 wrote to memory of 3232	1908	Ritornata.exe.com	nslookup.exe
PID 1908 wrote to memory of 3232	1908	Ritornata.exe.com	nslookup.exe
PID 1908 wrote to memory of 3232	1908	Ritornata.exe.com	nslookup.exe
PID 1908 wrote to memory of 3232	1908	Ritornata.exe.com	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe
"C:\Users\Admin\AppData\Local\Temp\f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\expand.exe
expand
2⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Sua.swf & ping 127.0.0.1 -n 30
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^rMRqhEQoWQMXQgLMfHZtmEjotrVzghKKxWsooRyoMqguqYanogPNqINnAJVlIvUIywCTXCDbBRanduoyKblqnXJMpSInVVmf$" Obliare.swf
4⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com
Ritornata.exe.com G
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com G
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\nslookup.exe
C:\Windows\SysWOW64\nslookup.exe
6⤵
- Writes to the Master Boot Record (MBR)
PID:3232

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
3⤵
- Runs ping.exe
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dio.swf
MD5
95c74f05449c333404f7950c69d3e33f

SHA1
240e2f9e7618205c1f8ffbdd69fc52a5c91cbb91

SHA256
b668e2177b7fa3d46043a44207727d3f34ade3ef705b79b9282baa9af95c2237

SHA512
af09e16f506c3ef6abefcb8b498adc26b86d298b9f62326b267a79a8bcadcb50f262399218ab9f773c39e4b6e36806f6868929d75ae38ee44f97b4e2c579bfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G
MD5
95c74f05449c333404f7950c69d3e33f

SHA1
240e2f9e7618205c1f8ffbdd69fc52a5c91cbb91

SHA256
b668e2177b7fa3d46043a44207727d3f34ade3ef705b79b9282baa9af95c2237

SHA512
af09e16f506c3ef6abefcb8b498adc26b86d298b9f62326b267a79a8bcadcb50f262399218ab9f773c39e4b6e36806f6868929d75ae38ee44f97b4e2c579bfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.swf
MD5
334523bbfc07a1b34a74818abca7c0f9

SHA1
4e907ef95f8688cc664f8a7c7bea8528326b5c13

SHA256
e6eeee3a8b0e45f40a91009c7e9d88fead35488be479ea2e6c1551ea7e0b858d

SHA512
f6201203ccff5e84a52bb2dd8b97424d8af2477b95eff050ccae9183c00d920b57a6f7f59676a9b4a3c5d41b4167af5881f187e858beaff2b277257e45cc0a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.swf
MD5
2a32b7f3c1946406510c9e4ea9c7a596

SHA1
8f76d3378f55ed00db68d0d6436ce762bf2fbc3c

SHA256
41713060860a2ee98e0179860cbec578256b1552199b7ad8b1bbfc1e464436f5

SHA512
78982b49045b808375cadf600647b7610b41a120f17d45639471541805b011eaa61693cd20ba9841c494b6ee5e22ab05c94e4a63b3e8b77fa22b1a8603dbae43

Download Submit
memory/312-119-0x0000000000000000-mapping.dmp

Download
memory/684-124-0x0000000000000000-mapping.dmp

Download
memory/876-118-0x0000000000000000-mapping.dmp

Download
memory/1804-115-0x0000000000000000-mapping.dmp

Download
memory/1908-126-0x0000000000000000-mapping.dmp

Download
memory/2164-116-0x0000000000000000-mapping.dmp

Download
memory/2956-122-0x0000000000000000-mapping.dmp

Download
memory/3232-129-0x0000000000600000-0x000000000065A000-memory.dmp

Filesize
360KB

Download
memory/3232-132-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3232-131-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3232-133-0x0000000000600000-0x000000000065A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads