modiloader | 5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef

General

Target

IMG_3100003664999576400.exe
Size

779KB
MD5

c69fdd6ab6ec38f6caa4254fc0160e2d
SHA1

a0cc76173c576dc1ce58a81649df71a8165d99ba
SHA256

5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
SHA512

e31064aea87cbaa59f89f8b0bfc5d6a7b7474771f17354223e9b11e4c600558345f2a3ae371ee7d223773d87237ea0a932db8a6993dadb868977c726bb795c75

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3408-117-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-174-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-175-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-176-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-177-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-178-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1
behavioral2/memory/3408-173-0x0000000002340000-0x000000000235B000-memory.dmp	modiloader_stage1

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG_3100003664999576400.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lvughbdemq = "C:\\Users\\Admin\\Contacts\\qmedbhguvL.url"	IMG_3100003664999576400.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 856 WerFault.exe logagent.exe

pid	pid_target	process	target process
1204	856	WerFault.exe	logagent.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1204 WerFault.exe
Token: SeBackupPrivilege 1204 WerFault.exe
Token: SeDebugPrivilege 1204 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1204	WerFault.exe
Token: SeBackupPrivilege	1204	WerFault.exe
Token: SeDebugPrivilege	1204	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

IMG_3100003664999576400.exe

description	pid	process	target process
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe
PID 3408 wrote to memory of 856	3408	IMG_3100003664999576400.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\IMG_3100003664999576400.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_3100003664999576400.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
2⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 352
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-225-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/856-226-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/856-227-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3408-115-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3408-117-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-174-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-175-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-176-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-177-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-178-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download
memory/3408-173-0x0000000002340000-0x000000000235B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads