modiloader | 5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786

General

Target

5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe
Size

520KB
MD5

8717d55dac4f12cf84a3b349bdd9823c
SHA1

6281203d0ed33f80dd9f0a18e1a65d271d8213da
SHA256

5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786
SHA512

5f5b6fab98c389563618f274e7985111221965889a034576c570262063d619d5bcb2dab77a26f9f136c620ba1e965f6a6b13748ff8b81d07555a2f4d80cfaabe

Score

10^/10

modiloader netwire botnet persistence rat stealer trojan upx

Malware Config

Extracted

Family

netwire

C2

superserver100.hopto.org:8973

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1968-136-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1968-138-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1968-140-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\isvygq.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\isvygq.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

isvygq.exe

pid process

1616 isvygq.exe

pid	process
1616	isvygq.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4572-133-0x0000000000400000-0x000000000052B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

isvygq.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation isvygq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	isvygq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

isvygq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isvygq = "C:\\Users\\Admin\\AppData\\Local\\isvygq\\isvygq.vbs"	isvygq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

isvygq.exe

description pid process target process

PID 1616 set thread context of 1968 1616 isvygq.exe regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2744 reg.exe
2112 reg.exe

description	pid	process	target process
PID 1616 set thread context of 1968	1616	isvygq.exe	regsvr32.exe

pid	process
2744	reg.exe
2112	reg.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exeisvygq.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 1616	4572	5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe	isvygq.exe
PID 4572 wrote to memory of 1616	4572	5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe	isvygq.exe
PID 4572 wrote to memory of 1616	4572	5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe	isvygq.exe
PID 1616 wrote to memory of 1968	1616	isvygq.exe	regsvr32.exe
PID 1616 wrote to memory of 1968	1616	isvygq.exe	regsvr32.exe
PID 1616 wrote to memory of 1968	1616	isvygq.exe	regsvr32.exe
PID 1616 wrote to memory of 1968	1616	isvygq.exe	regsvr32.exe
PID 1616 wrote to memory of 1968	1616	isvygq.exe	regsvr32.exe
PID 1616 wrote to memory of 2740	1616	isvygq.exe	cmd.exe
PID 1616 wrote to memory of 2740	1616	isvygq.exe	cmd.exe
PID 1616 wrote to memory of 2740	1616	isvygq.exe	cmd.exe
PID 2740 wrote to memory of 2744	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2744	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2744	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2112	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2112	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2112	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 4068	2740	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 4068	2740	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 4068	2740	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe
"C:\Users\Admin\AppData\Local\Temp\5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\isvygq.exe
C:\Users\Admin\AppData\Local\Temp\isvygq.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\isvygq\KU.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start C:\Users\Admin\AppData\Local\isvygq\ex.bat reg delete hkcu\Environment /v windir /f && REM "
4⤵
- Modifies registry key
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
4⤵
PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isvygq.exe

Filesize
403KB

MD5
45b29c968b79e5ddeabbc0ef4a8ab362

SHA1
57ed9e27f2e2b40fc1998fe0cba8d9ee63a40f05

SHA256
69862bc4e7299382eac469ff02833882c623d2cb9c02b194ebdb4386847ba787

SHA512
d568ebcf782de7767076d96a217c804ae3a83a167c9947a05c67f39aed4e20479da4bd6375ef57224778f6d10d0de7e896abab710c605b4d76aa5cfe25caf7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\isvygq.exe

Filesize
403KB

MD5
45b29c968b79e5ddeabbc0ef4a8ab362

SHA1
57ed9e27f2e2b40fc1998fe0cba8d9ee63a40f05

SHA256
69862bc4e7299382eac469ff02833882c623d2cb9c02b194ebdb4386847ba787

SHA512
d568ebcf782de7767076d96a217c804ae3a83a167c9947a05c67f39aed4e20479da4bd6375ef57224778f6d10d0de7e896abab710c605b4d76aa5cfe25caf7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\isvygq.jpg

Filesize
237KB

MD5
be035e8c5fa40a25ea84a0f8b0794124

SHA1
5719df1daf670bcd2a1eb0e07f2b9d8b467b20ea

SHA256
e0503287ed675f3c4e33f66c66ed061154b10c2a9527455b2cc138a059b6d782

SHA512
5347e1c32a37295af20bd5b3ffab5625dbccaac8a348c7f816ec732bb1fa646265270091b3137f29c42b9c6bd80b3bc9bf3ecf70e632f690623eb95d073c4139

Download Submit
C:\Users\Admin\AppData\Local\isvygq\KU.bat

Filesize
255B

MD5
77a9c83f53b7a70f2f36bea0f255d4ab

SHA1
7177eefcf6b09fb50bd98c498cd6c563917c1b1e

SHA256
91d1246ebab25a2480b78e46144116ace5c8d87a39573bad237bc7c4c3deeed7

SHA512
3e09ea4c44648516b80dac48d2505f305f5aff509713e19c993c4714999e931949036efeacf5a384db474e7a08d5d990c01d74730da4995f20ea094ea68e36fb

Download Submit
memory/1616-130-0x0000000000000000-mapping.dmp

Download
memory/1968-135-0x0000000000000000-mapping.dmp

Download
memory/1968-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1968-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1968-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2112-144-0x0000000000000000-mapping.dmp

Download
memory/2740-141-0x0000000000000000-mapping.dmp

Download
memory/2744-143-0x0000000000000000-mapping.dmp

Download
memory/4068-145-0x0000000000000000-mapping.dmp

Download
memory/4572-133-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads