modiloader | 2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4

General

Target

Potvrda narudzbe u prilogu.exe
Size

858KB
MD5

a2f2b4df19c4e17b1ee75386984be107
SHA1

4eeb4fa7a57f39c7e0e33f069da955086926976a
SHA256

2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
SHA512

c69eb0311d8e9d760f7ab33568b56836645dadf9c41271e0ef494816d3ba3a24c1a119e9359950fda5bdc92f2f38fe3bb99e346977ed935cc119ba0c690dab64

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/864-60-0x0000000004230000-0x0000000004265000-memory.dmp	modiloader_stage2
behavioral1/memory/864-61-0x0000000004230000-0x0000000004265000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Potvrda narudzbe u prilogu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kwhnxhv = "C:\\Users\\Public\\vhxnhwK.url"	Potvrda narudzbe u prilogu.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

848 304 WerFault.exe DpiScaling.exe

pid	pid_target	process	target process
848	304	WerFault.exe	DpiScaling.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Potvrda narudzbe u prilogu.exeDpiScaling.exe

description	pid	process	target process
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 864 wrote to memory of 304	864	Potvrda narudzbe u prilogu.exe	DpiScaling.exe
PID 304 wrote to memory of 848	304	DpiScaling.exe	WerFault.exe
PID 304 wrote to memory of 848	304	DpiScaling.exe	WerFault.exe
PID 304 wrote to memory of 848	304	DpiScaling.exe	WerFault.exe
PID 304 wrote to memory of 848	304	DpiScaling.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Potvrda narudzbe u prilogu.exe
"C:\Users\Admin\AppData\Local\Temp\Potvrda narudzbe u prilogu.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 156
3⤵
- Program crash
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-62-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/304-64-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/864-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/864-57-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/864-60-0x0000000004230000-0x0000000004265000-memory.dmp

Filesize
212KB

Download
memory/864-61-0x0000000004230000-0x0000000004265000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads