modiloader | bcfb6af874f890ddc7506f409370bd743adcc0114a46374857e9e8081d1373c7

General

Target

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe
Size

836KB
MD5

07789017f254b6ac45b11f66ccada623
SHA1

6957e2bd7068f1303723c2ba3075771cdbcb23f0
SHA256

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
SHA512

b30f98657c5069185af2e7a84af4bb2b2d73e9c7a455beae520668a6b40420e0f4d5f19333ec6f7ec45a74c8544f88d449ea1b8d2eacadf22e574b39a384e8b1

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 45 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3576-148-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-161-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-162-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-163-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-164-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-165-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-166-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-167-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-168-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-169-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-170-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-171-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-172-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-173-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-174-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-175-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-176-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-177-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-178-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-179-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-180-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-181-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-183-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-184-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-182-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-185-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-186-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-187-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-188-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-189-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-190-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-191-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-192-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-193-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-194-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-195-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-196-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-197-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-198-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-199-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-200-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-202-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-203-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-201-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-204-0x0000000004DF0000-0x0000000004ED5000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nwypnv = "C:\\Users\\Public\\Libraries\\vnpywN.url"	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	process
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

pid	process
3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe
3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe

description	pid	process	target process
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe
PID 3576 wrote to memory of 3892	3576	d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe	cleanmgr.exe

C:\Users\Admin\AppData\Local\Temp\d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe
"C:\Users\Admin\AppData\Local\Temp\d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
2⤵
- Enumerates connected drives
PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3576-148-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-161-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-162-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-163-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-164-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-165-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-166-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-167-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-168-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-169-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-170-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-171-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-172-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-173-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-174-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-175-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-176-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-177-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-178-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-179-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-180-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-181-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-183-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-184-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-182-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-185-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-186-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-187-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-188-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-189-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-190-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-191-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-192-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-193-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-194-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-195-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-196-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-197-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-198-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-199-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-200-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-202-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-203-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-201-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3576-204-0x0000000004DF0000-0x0000000004ED5000-memory.dmp

Filesize
916KB

Download
memory/3892-205-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads