modiloader | 082fd5bb94abeb41478f187d82cecbc94378d781386f9711010e226deae3004f

Analysis

max time kernel
144s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-01-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe
Size

931KB
MD5

f51465b5bfb979ccdfc2dcd480f8deb8
SHA1

f90231ff207bc32043247ce59196fc3d1c88bee2
SHA256

082fd5bb94abeb41478f187d82cecbc94378d781386f9711010e226deae3004f
SHA512

56b0622aa675d63b9fb3ff26f842beb6f30eea74ac63a14372938ae69d8996a6bd7d7d30903cb30fb1f82ff80880664ae389f56240b3af9850bfb7a22aee3bcc

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3436-116-0x0000000002B91000-0x0000000002BA5000-memory.dmp	modiloader_stage1

Executes dropped EXE 1 IoCs

pid	Process
1060	ComputerDefaults.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	ComputerDefaults.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oxpxvknymq = "C:\\Users\\Admin\\Contacts\\qmynkvxpxO.url"	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
660	3316	WerFault.exe	71

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1400	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	660	WerFault.exe
Token: SeBackupPrivilege	660	WerFault.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	660	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1820	powershell.exe
Token: SeSecurityPrivilege	1820	powershell.exe
Token: SeTakeOwnershipPrivilege	1820	powershell.exe
Token: SeLoadDriverPrivilege	1820	powershell.exe
Token: SeSystemProfilePrivilege	1820	powershell.exe
Token: SeSystemtimePrivilege	1820	powershell.exe
Token: SeProfSingleProcessPrivilege	1820	powershell.exe
Token: SeIncBasePriorityPrivilege	1820	powershell.exe
Token: SeCreatePagefilePrivilege	1820	powershell.exe
Token: SeBackupPrivilege	1820	powershell.exe
Token: SeRestorePrivilege	1820	powershell.exe
Token: SeShutdownPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeSystemEnvironmentPrivilege	1820	powershell.exe
Token: SeRemoteShutdownPrivilege	1820	powershell.exe
Token: SeUndockPrivilege	1820	powershell.exe
Token: SeManageVolumePrivilege	1820	powershell.exe
Token: 33	1820	powershell.exe
Token: 34	1820	powershell.exe
Token: 35	1820	powershell.exe
Token: 36	1820	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 3316	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	71
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	72
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	72
PID 3436 wrote to memory of 4292	3436	Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe	72
PID 4292 wrote to memory of 680	4292	cmd.exe	75
PID 4292 wrote to memory of 680	4292	cmd.exe	75
PID 4292 wrote to memory of 680	4292	cmd.exe	75
PID 680 wrote to memory of 1060	680	cmd.exe	78
PID 680 wrote to memory of 1060	680	cmd.exe	78
PID 1060 wrote to memory of 1200	1060	ComputerDefaults.exe	79
PID 1060 wrote to memory of 1200	1060	ComputerDefaults.exe	79
PID 680 wrote to memory of 1400	680	cmd.exe	81
PID 680 wrote to memory of 1400	680	cmd.exe	81
PID 680 wrote to memory of 1400	680	cmd.exe	81
PID 1200 wrote to memory of 1820	1200	cmd.exe	82
PID 1200 wrote to memory of 1820	1200	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe
"C:\Users\Admin\AppData\Local\Temp\Oxpxvknymqvpksgmqwnmrzbidwmldqvaaq.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\DpiScaling.exe
  C:\Windows\System32\DpiScaling.exe
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 488
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Contacts\Oxpxvknymqt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\OxpxvknymqO.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows \System32\ComputerDefaults.exe
      "C:\Windows \System32\ComputerDefaults.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 6
      4⤵
      Runs ping.exe
      PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-142-0x000001F7E28A0000-0x000001F7E28C2000-memory.dmp

Filesize
136KB

Download
memory/1820-147-0x000001F7FD300000-0x000001F7FD376000-memory.dmp

Filesize
472KB

Download
memory/1820-177-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-164-0x000001F7E2D86000-0x000001F7E2D88000-memory.dmp

Filesize
8KB

Download
memory/1820-160-0x000001F7E2D80000-0x000001F7E2D82000-memory.dmp

Filesize
8KB

Download
memory/1820-161-0x000001F7E2D83000-0x000001F7E2D85000-memory.dmp

Filesize
8KB

Download
memory/1820-148-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-146-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-137-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-138-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-139-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-140-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-141-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-145-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-143-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/1820-144-0x000001F7E2630000-0x000001F7E2632000-memory.dmp

Filesize
8KB

Download
memory/3316-134-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3316-133-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3316-132-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3436-115-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3436-116-0x0000000002B91000-0x0000000002BA5000-memory.dmp

Filesize
80KB

Download
memory/3436-117-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download