modiloader | 082fd5bb94abeb41478f187d82cecbc94378d781386f9711010e226deae3004f

Analysis

max time kernel
144s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-01-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe
Size

931KB
MD5

f51465b5bfb979ccdfc2dcd480f8deb8
SHA1

f90231ff207bc32043247ce59196fc3d1c88bee2
SHA256

082fd5bb94abeb41478f187d82cecbc94378d781386f9711010e226deae3004f
SHA512

56b0622aa675d63b9fb3ff26f842beb6f30eea74ac63a14372938ae69d8996a6bd7d7d30903cb30fb1f82ff80880664ae389f56240b3af9850bfb7a22aee3bcc

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3436-116-0x0000000002B91000-0x0000000002BA5000-memory.dmp	modiloader_stage1

Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

1060 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

1060 ComputerDefaults.exe

pid	process
1060	ComputerDefaults.exe

pid	process
1060	ComputerDefaults.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oxpxvknymq = "C:\\Users\\Admin\\Contacts\\qmynkvxpxO.url"	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

660 3316 WerFault.exe DpiScaling.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1400 PING.EXE

pid	pid_target	process	target process
660	3316	WerFault.exe	DpiScaling.exe

pid	process
1400	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exeWerFault.exe

pid	process
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

WerFault.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	660	WerFault.exe
Token: SeBackupPrivilege	660	WerFault.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	660	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1820	powershell.exe
Token: SeSecurityPrivilege	1820	powershell.exe
Token: SeTakeOwnershipPrivilege	1820	powershell.exe
Token: SeLoadDriverPrivilege	1820	powershell.exe
Token: SeSystemProfilePrivilege	1820	powershell.exe
Token: SeSystemtimePrivilege	1820	powershell.exe
Token: SeProfSingleProcessPrivilege	1820	powershell.exe
Token: SeIncBasePriorityPrivilege	1820	powershell.exe
Token: SeCreatePagefilePrivilege	1820	powershell.exe
Token: SeBackupPrivilege	1820	powershell.exe
Token: SeRestorePrivilege	1820	powershell.exe
Token: SeShutdownPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeSystemEnvironmentPrivilege	1820	powershell.exe
Token: SeRemoteShutdownPrivilege	1820	powershell.exe
Token: SeUndockPrivilege	1820	powershell.exe
Token: SeManageVolumePrivilege	1820	powershell.exe
Token: 33	1820	powershell.exe
Token: 34	1820	powershell.exe
Token: 35	1820	powershell.exe
Token: 36	1820	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.execmd.execmd.exeComputerDefaults.execmd.exe

description	pid	process	target process
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	DpiScaling.exe
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	cmd.exe
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	cmd.exe
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	cmd.exe
PID 4292 wrote to memory of 680	4292	cmd.exe	cmd.exe
PID 4292 wrote to memory of 680	4292	cmd.exe	cmd.exe
PID 4292 wrote to memory of 680	4292	cmd.exe	cmd.exe
PID 680 wrote to memory of 1060	680	cmd.exe	ComputerDefaults.exe
PID 680 wrote to memory of 1060	680	cmd.exe	ComputerDefaults.exe
PID 1060 wrote to memory of 1200	1060	ComputerDefaults.exe	cmd.exe
PID 1060 wrote to memory of 1200	1060	ComputerDefaults.exe	cmd.exe
PID 680 wrote to memory of 1400	680	cmd.exe	PING.EXE
PID 680 wrote to memory of 1400	680	cmd.exe	PING.EXE
PID 680 wrote to memory of 1400	680	cmd.exe	PING.EXE
PID 1200 wrote to memory of 1820	1200	cmd.exe	powershell.exe
PID 1200 wrote to memory of 1820	1200	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe
"C:\Users\Admin\AppData\Local\Temp\Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 488
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Contacts\Oxpxvknymqt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\OxpxvknymqO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Users\Admin\Contacts\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Admin\Contacts\OxpxvknymqO.bat
MD5
1ed9fbc4b43b9afb48d089e9cc5fe5fc

SHA1
005f37cbcb2c8fe85ff83ead0e4a3282130c2cf5

SHA256
be39b65cfbae921d0a42d2958f14a9dc783ace7a3880efeec0b0a5293f4dece4

SHA512
f99118c532ab00eccb608d2a385b5ff51bb4c461b51c51ee01eb9445b11ed98ee0b2975518d0e7e9570f80601d08344812d26278ffabcb9afc2ab0942f705fdf

Download Submit
C:\Users\Admin\Contacts\Oxpxvknymqt.bat
MD5
0e29f796c1d3c98a52f623e34e0fa454

SHA1
8313d4f1f0702d27eb217e7ab83be348c3e2845a

SHA256
42bebd397563aadbd018ca2c5113309c0866086b1a43807227c7dbf8b62c6268

SHA512
1213c740c5b9df004830f358f26091c93d6375c3065b671d5a1e05959ee1332a64089b7c8e3445206fffd49539c7cdc0290e8a48db03fefc3673fdf9b2faa1c2

Download Submit
C:\Users\Admin\Contacts\propsys.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
C:\Windows \System32\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Windows \System32\PROPSYS.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
C:\windows \system32\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
\Windows \System32\propsys.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
memory/680-121-0x0000000000000000-mapping.dmp

Download
memory/1060-126-0x0000000000000000-mapping.dmp

Download
memory/1200-130-0x0000000000000000-mapping.dmp

Download
memory/1400-131-0x0000000000000000-mapping.dmp

Download
memory/1820-142-0x000001F7E28A0000-0x000001F7E28C2000-memory.dmp

Filesize
136KB

Download
memory/1820-147-0x000001F7FD300000-0x000001F7FD376000-memory.dmp

Filesize
472KB

Download
memory/1820-177-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-164-0x000001F7E2D86000-0x000001F7E2D88000-memory.dmp

Filesize
8KB

Download
memory/1820-160-0x000001F7E2D80000-0x000001F7E2D82000-memory.dmp

Filesize
8KB

Download
memory/1820-161-0x000001F7E2D83000-0x000001F7E2D85000-memory.dmp

Filesize
8KB

Download
memory/1820-148-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-146-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-136-0x0000000000000000-mapping.dmp

Download
memory/1820-137-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-138-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-139-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-140-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-141-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-145-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-143-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-144-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/3316-134-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3316-133-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3316-132-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3316-118-0x0000000000000000-mapping.dmp

Download
memory/3436-115-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3436-116-0x0000000002B91000-0x0000000002BA5000-memory.dmp

Filesize
80KB

Download
memory/3436-117-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4292-119-0x0000000000000000-mapping.dmp

Download