modiloader | 82cc6147c09b11b31f86f8126920090110f8cfff23ead6bdce2407aea29e85a3

General

Target

Purchase-Order26453784839.exe
Size

943KB
MD5

2b085a0ecc69a8f0cbd2c32c1f89e4d7
SHA1

843c638df1fe7f15c4737ff89646b4b861e7b135
SHA256

a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7
SHA512

3e7ed898d50cc9580a4853d3ed3ae596040083818788398d9812e2c66522b732cfeddfcadb31ecb5ba4be2e827cc6a7861c847ee65398154846db7723b28fc34

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 44 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-57-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-59-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-60-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-63-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-62-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-61-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-64-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-65-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-68-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-67-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-66-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-69-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-72-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-71-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-70-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-73-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-74-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-75-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-77-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-76-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-78-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-79-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-87-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-88-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-89-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-90-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-91-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-94-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-96-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-97-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-99-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-101-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-103-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-105-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-106-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-108-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-111-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-112-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-110-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-113-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-109-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-114-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-107-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1892-115-0x0000000004560000-0x00000000045FC000-memory.dmp	modiloader_stage2

Loads dropped DLL 1 IoCs

Processes:

wininit.exe

pid process

2036 wininit.exe

pid	process
2036	wininit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase-Order26453784839.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bpfixx = "C:\\Users\\Public\\Libraries\\xxifpB.url"	Purchase-Order26453784839.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	process
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cleanmgr.exewininit.exe

description	pid	process	target process
PID 324 set thread context of 1184	324	cleanmgr.exe	Explorer.EXE
PID 2036 set thread context of 1184	2036	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Purchase-Order26453784839.execleanmgr.exewininit.exe

pid	process
1892	Purchase-Order26453784839.exe
324	cleanmgr.exe
324	cleanmgr.exe
324	cleanmgr.exe
324	cleanmgr.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

cleanmgr.exewininit.exe

pid process

324 cleanmgr.exe
324 cleanmgr.exe
324 cleanmgr.exe
2036 wininit.exe
2036 wininit.exe
2036 wininit.exe
2036 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cleanmgr.exewininit.exe

description pid process

Token: SeDebugPrivilege 324 cleanmgr.exe
Token: SeShutdownPrivilege 324 cleanmgr.exe
Token: SeDebugPrivilege 2036 wininit.exe

pid	process
324	cleanmgr.exe
324	cleanmgr.exe
324	cleanmgr.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe
2036	wininit.exe

description	pid	process
Token: SeDebugPrivilege	324	cleanmgr.exe
Token: SeShutdownPrivilege	324	cleanmgr.exe
Token: SeDebugPrivilege	2036	wininit.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Purchase-Order26453784839.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1892 wrote to memory of 324	1892	Purchase-Order26453784839.exe	cleanmgr.exe
PID 1184 wrote to memory of 2036	1184	Explorer.EXE	wininit.exe
PID 1184 wrote to memory of 2036	1184	Explorer.EXE	wininit.exe
PID 1184 wrote to memory of 2036	1184	Explorer.EXE	wininit.exe
PID 1184 wrote to memory of 2036	1184	Explorer.EXE	wininit.exe
PID 2036 wrote to memory of 1468	2036	wininit.exe	Firefox.exe
PID 2036 wrote to memory of 1468	2036	wininit.exe	Firefox.exe
PID 2036 wrote to memory of 1468	2036	wininit.exe	Firefox.exe
PID 2036 wrote to memory of 1468	2036	wininit.exe	Firefox.exe
PID 2036 wrote to memory of 1468	2036	wininit.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\Purchase-Order26453784839.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase-Order26453784839.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
3⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
628KB

MD5
e3b107beaf9eaab93d09738d7dcb0946

SHA1
e625eac28fad8d1ed8544a35b9e54e596313b266

SHA256
8dccdffda1babc90e9917e7927c7387e4ca8e556f0bb94aace207c998a289223

SHA512
c08038d6c7c527ae1e13540358c2a117e5aa6275643b2d88e19e1dc7dd0aa4191c74598e385c57d854866c2de31688fb3640bc7e3a2303b8291154375398305a

Download Submit
memory/324-80-0x0000000000000000-mapping.dmp

Download
memory/324-82-0x0000000070A21000-0x0000000070A23000-memory.dmp

Filesize
8KB

Download
memory/324-85-0x0000000050410000-0x000000005043D000-memory.dmp

Filesize
180KB

Download
memory/324-93-0x0000000003C60000-0x0000000003F63000-memory.dmp

Filesize
3.0MB

Download
memory/324-116-0x0000000050410000-0x000000005043D000-memory.dmp

Filesize
180KB

Download
memory/1184-98-0x00000000064F0000-0x0000000006601000-memory.dmp

Filesize
1.1MB

Download
memory/1184-121-0x00000000067F0000-0x00000000068C4000-memory.dmp

Filesize
848KB

Download
memory/1184-118-0x00000000067F0000-0x00000000068C4000-memory.dmp

Filesize
848KB

Download
memory/1892-88-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-94-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-61-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-64-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-65-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-68-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-67-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-66-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-69-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-72-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-71-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-70-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-73-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-74-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-75-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-77-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-76-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-78-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-79-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-84-0x0000000050410000-0x000000005043D000-memory.dmp

Filesize
180KB

Download
memory/1892-87-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-63-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-89-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-90-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-91-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-62-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-96-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-97-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-99-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-101-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1892-57-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-103-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-59-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-60-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-105-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-106-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-108-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-111-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-112-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-110-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-113-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-109-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-114-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-107-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/1892-115-0x0000000004560000-0x00000000045FC000-memory.dmp

Filesize
624KB

Download
memory/2036-104-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/2036-117-0x0000000000790000-0x0000000000820000-memory.dmp

Filesize
576KB

Download
memory/2036-100-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/2036-119-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2036-102-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2036-95-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads