modiloader | b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e

General

Target

bd8a1ba3556221c105087262321114d1.exe
Size

862KB
MD5

bd8a1ba3556221c105087262321114d1
SHA1

ef49cd974cf09508d3b86c9fdc48ce33f1a5aeed
SHA256

b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e
SHA512

f7683f4d055cca2ca3907fb227c6b03382a19f692b79324a05df5bf4a89240612e2727e1934e9ac898d4fa508220f339de2c3608f8b1124c3b792996f3aef8e6

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-56-0x0000000000351000-0x0000000000365000-memory.dmp	modiloader_stage1

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1744 1668 WerFault.exe bd8a1ba3556221c105087262321114d1.exe

pid	pid_target	process	target process
1744	1668	WerFault.exe	bd8a1ba3556221c105087262321114d1.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bd8a1ba3556221c105087262321114d1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bd8a1ba3556221c105087262321114d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bd8a1ba3556221c105087262321114d1.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1744 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1744 WerFault.exe

pid	process
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

pid	process
1744	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1744	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bd8a1ba3556221c105087262321114d1.exe

description	pid	process	target process
PID 1668 wrote to memory of 1744	1668	bd8a1ba3556221c105087262321114d1.exe	WerFault.exe
PID 1668 wrote to memory of 1744	1668	bd8a1ba3556221c105087262321114d1.exe	WerFault.exe
PID 1668 wrote to memory of 1744	1668	bd8a1ba3556221c105087262321114d1.exe	WerFault.exe
PID 1668 wrote to memory of 1744	1668	bd8a1ba3556221c105087262321114d1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bd8a1ba3556221c105087262321114d1.exe
"C:\Users\Admin\AppData\Local\Temp\bd8a1ba3556221c105087262321114d1.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 832
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000000351000-0x0000000000365000-memory.dmp

Filesize
80KB

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download
memory/1744-58-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads