modiloader | 32107a42454e062900cfb8473bb035447a1cdd839fc1808902ab63a6c64988fe

General

Target

PURCHASE.exe
Size

626KB
MD5

a636e2bf0305939dd3ea280d58581d34
SHA1

6fc92b1d61667f4c9356973e65bf569244bbc001
SHA256

32107a42454e062900cfb8473bb035447a1cdd839fc1808902ab63a6c64988fe
SHA512

4157bedd94564aad54b118524727a6241b0d6ae58e911e4611ff87801183a12c23484424565b0dca5c738c13c0e1f7d97c77bae49ce8e23cbde4ded47dc071e6

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PURCHASE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nxjctqqbv = "C:\\Users\\Public\\Libraries\\vbqqtcjxN.url"	PURCHASE.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1980 1676 WerFault.exe PURCHASE.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1076 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1076 powershell.exe

pid	pid_target	process	target process
1980	1676	WerFault.exe	PURCHASE.exe

pid	process
1076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

PURCHASE.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1676 wrote to memory of 1868	1676	PURCHASE.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	PURCHASE.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	PURCHASE.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	PURCHASE.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	cmd.exe	cmd.exe
PID 1732 wrote to memory of 1668	1732	cmd.exe	net.exe
PID 1732 wrote to memory of 1668	1732	cmd.exe	net.exe
PID 1732 wrote to memory of 1668	1732	cmd.exe	net.exe
PID 1732 wrote to memory of 1668	1732	cmd.exe	net.exe
PID 1668 wrote to memory of 1236	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1236	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1236	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1236	1668	net.exe	net1.exe
PID 1732 wrote to memory of 1076	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1076	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1076	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1076	1732	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1980	1676	PURCHASE.exe	WerFault.exe
PID 1676 wrote to memory of 1980	1676	PURCHASE.exe	WerFault.exe
PID 1676 wrote to memory of 1980	1676	PURCHASE.exe	WerFault.exe
PID 1676 wrote to memory of 1980	1676	PURCHASE.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\Nxjctqqbvt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\NxjctqqbvO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 836
2⤵
- Program crash
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\NxjctqqbvO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Nxjctqqbvt.bat
Filesize
58B

MD5
8d7ca5babda35dd26c8d5a9574368846

SHA1
17dbfca3da28f92024347b76f1e2e44526c9d462

SHA256
9d6d886a6ae3f063d6454d48345afbd4d80f812bd02357b9f459b19b77325524

SHA512
801ddbf140a5f1b5e5b6c38972f484408f54126016a39d9d30b657f5cb007c899ee571ff829b6334d843941324332755fb760d20e5e9b965b5ae4ca643b545a1

Download Submit
memory/1076-64-0x0000000000000000-mapping.dmp

Download
memory/1076-66-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-62-0x0000000000000000-mapping.dmp

Download
memory/1668-61-0x0000000000000000-mapping.dmp

Download
memory/1676-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download
memory/1868-57-0x0000000000000000-mapping.dmp

Download
memory/1980-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing