modiloader | 900d0f981878ee88e45a935d586dbede6a72119be467e047bcb3112edbd0e9f3

General

Target

GIE_ENQ-0407-2022_doc.exe
Size

709KB
MD5

715d60bb43c2575de720d7305f1cc391
SHA1

ed1a646b28acf9226739066fa5014b937f407064
SHA256

900d0f981878ee88e45a935d586dbede6a72119be467e047bcb3112edbd0e9f3
SHA512

1da2376d5a9f9934848216c828711691d2814518dd2a0608972a04e5be15b7836f9c2396a81744211d8c3f412df2980e72933a45ceb47bdc536c57c64f8897ef

Score

10^/10

modiloader netwire botnet persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

makabuike.duckdns.org:3360

sbdndbnb.duckdns.org:3360

neverbackingdown.duckdns.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3936-215-0x0000000010550000-0x0000000010588000-memory.dmp	netwire
behavioral2/memory/3936-217-0x00000000029A0000-0x00000000029D6000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader Second Stage 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/912-140-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-141-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-143-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-142-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-144-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-145-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-146-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-147-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-148-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-149-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-150-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-151-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-152-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-154-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-153-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-155-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-156-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-157-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-158-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-159-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-160-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-161-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-162-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-164-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-165-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-163-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-193-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-194-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-199-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-200-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-201-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-208-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-209-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-210-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-211-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-213-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-216-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-214-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2
behavioral2/memory/912-212-0x0000000005640000-0x0000000005693000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GIE_ENQ-0407-2022_doc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mxbipgxitp = "C:\\Users\\Public\\Libraries\\ptixgpibxM.url"	GIE_ENQ-0407-2022_doc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 3936 WerFault.exe DpiScaling.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4356 powershell.exe
4356 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4356 powershell.exe

pid	pid_target	process	target process
1668	3936	WerFault.exe	DpiScaling.exe

pid	process
4356	powershell.exe
4356	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4356	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

GIE_ENQ-0407-2022_doc.execmd.execmd.exenet.exe

description	pid	process	target process
PID 912 wrote to memory of 224	912	GIE_ENQ-0407-2022_doc.exe	cmd.exe
PID 912 wrote to memory of 224	912	GIE_ENQ-0407-2022_doc.exe	cmd.exe
PID 912 wrote to memory of 224	912	GIE_ENQ-0407-2022_doc.exe	cmd.exe
PID 224 wrote to memory of 3632	224	cmd.exe	cmd.exe
PID 224 wrote to memory of 3632	224	cmd.exe	cmd.exe
PID 224 wrote to memory of 3632	224	cmd.exe	cmd.exe
PID 3632 wrote to memory of 4388	3632	cmd.exe	net.exe
PID 3632 wrote to memory of 4388	3632	cmd.exe	net.exe
PID 3632 wrote to memory of 4388	3632	cmd.exe	net.exe
PID 4388 wrote to memory of 4000	4388	net.exe	net1.exe
PID 4388 wrote to memory of 4000	4388	net.exe	net1.exe
PID 4388 wrote to memory of 4000	4388	net.exe	net1.exe
PID 3632 wrote to memory of 4356	3632	cmd.exe	powershell.exe
PID 3632 wrote to memory of 4356	3632	cmd.exe	powershell.exe
PID 3632 wrote to memory of 4356	3632	cmd.exe	powershell.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe
PID 912 wrote to memory of 3936	912	GIE_ENQ-0407-2022_doc.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\GIE_ENQ-0407-2022_doc.exe
"C:\Users\Admin\AppData\Local\Temp\GIE_ENQ-0407-2022_doc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Mxbipgxitpt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\MxbipgxitpO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:4000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 460
3⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3936 -ip 3936
1⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\MxbipgxitpO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Mxbipgxitpt.bat
Filesize
59B

MD5
afd9da4b4f9c87a7b4fec3af021895eb

SHA1
e9bb1d5bc630e4633889182f2702f20f1db8303c

SHA256
71a1002de1bbc5352e3f79cccd74949ae239a1434e37ecc8cf0087ecac1c8976

SHA512
e2fcc3e872eb4514677d43f9ffdaeaa97ea8727b79015becb2a0ed9658ad13b0372b7e22c15d35cc8da6e961e6df568182b641251cc631b63a2a1e7868f8c697

Download Submit
memory/224-166-0x0000000000000000-mapping.dmp

Download
memory/912-193-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-163-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-146-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-147-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-148-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-149-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-150-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-151-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-152-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-154-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-212-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-155-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-156-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-157-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-158-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-159-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-160-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-161-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-162-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-164-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-165-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-192-0x0000000010550000-0x0000000010588000-memory.dmp

Filesize
224KB

Download
memory/912-144-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-142-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-140-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-143-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-214-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-216-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-141-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-213-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-145-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-211-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-153-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-210-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-209-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-208-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-201-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-200-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-199-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/912-194-0x0000000005640000-0x0000000005693000-memory.dmp

Filesize
332KB

Download
memory/3632-168-0x0000000000000000-mapping.dmp

Download
memory/3936-217-0x00000000029A0000-0x00000000029D6000-memory.dmp

Filesize
216KB

Download
memory/3936-191-0x0000000000000000-mapping.dmp

Download
memory/3936-215-0x0000000010550000-0x0000000010588000-memory.dmp

Filesize
224KB

Download
memory/3936-195-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4000-171-0x0000000000000000-mapping.dmp

Download
memory/4356-185-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/4356-178-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4356-184-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/4356-183-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/4356-189-0x0000000007790000-0x0000000007798000-memory.dmp

Filesize
32KB

Download
memory/4356-182-0x00000000072B0000-0x00000000072CE000-memory.dmp

Filesize
120KB

Download
memory/4356-181-0x00000000700B0000-0x00000000700FC000-memory.dmp

Filesize
304KB

Download
memory/4356-180-0x00000000072D0000-0x0000000007302000-memory.dmp

Filesize
200KB

Download
memory/4356-179-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/4356-186-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/4356-177-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4356-188-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/4356-173-0x0000000000000000-mapping.dmp

Download
memory/4356-175-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/4356-187-0x00000000076A0000-0x00000000076AE000-memory.dmp

Filesize
56KB

Download
memory/4356-174-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/4356-176-0x0000000005240000-0x0000000005262000-memory.dmp

Filesize
136KB

Download
memory/4388-170-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads