modiloader | 498baff52ad2a419108074d90b6eb085afcc91ee2a881dd78aa37185779243d0

General

Target

PURCHASE.exe
Size

943KB
MD5

2b085a0ecc69a8f0cbd2c32c1f89e4d7
SHA1

843c638df1fe7f15c4737ff89646b4b861e7b135
SHA256

a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7
SHA512

3e7ed898d50cc9580a4853d3ed3ae596040083818788398d9812e2c66522b732cfeddfcadb31ecb5ba4be2e827cc6a7861c847ee65398154846db7723b28fc34

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 62 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4300-147-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-163-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-164-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-165-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-166-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-167-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-168-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-169-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-170-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-171-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-172-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-173-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-174-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-175-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-176-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-177-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-178-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-179-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-180-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-181-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-182-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-183-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-184-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-185-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-186-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-187-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-188-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-189-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-190-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-191-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-192-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-193-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-194-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-195-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-196-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-197-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-198-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-199-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-200-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-201-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-202-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-204-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-203-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-205-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-206-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-210-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-211-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-212-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-213-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-214-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-215-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-216-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-217-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-218-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-219-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-220-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-221-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-222-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-224-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-223-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-225-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2
behavioral2/memory/4300-226-0x0000000003AD0000-0x0000000003B6C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PURCHASE.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation PURCHASE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	PURCHASE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PURCHASE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bpfixx = "C:\\Users\\Public\\Libraries\\xxifpB.url"	PURCHASE.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	process
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PURCHASE.exe

pid process

4300 PURCHASE.exe
4300 PURCHASE.exe

pid	process
4300	PURCHASE.exe
4300	PURCHASE.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

PURCHASE.exe

description	pid	process	target process
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe
PID 4300 wrote to memory of 4820	4300	PURCHASE.exe	cleanmgr.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
2⤵
- Enumerates connected drives
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4300-147-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-163-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-164-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-165-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-166-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-167-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-168-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-169-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-170-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-171-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-172-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-173-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-174-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-175-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-176-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-177-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-178-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-179-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-180-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-181-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-182-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-183-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-184-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-185-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-186-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-187-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-188-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-189-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-190-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-191-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-192-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-193-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-194-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-195-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-196-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-197-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-198-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-199-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-200-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-201-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-202-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-204-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-203-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-205-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-206-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-209-0x0000000050410000-0x000000005043D000-memory.dmp

Filesize
180KB

Download
memory/4300-210-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-211-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-212-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-213-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-214-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-215-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-216-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-217-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-218-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-219-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-220-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-221-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-222-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-224-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-223-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-225-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4300-226-0x0000000003AD0000-0x0000000003B6C000-memory.dmp

Filesize
624KB

Download
memory/4820-207-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads