modiloader | a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd

General

Target

a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
Size

476KB
MD5

653d1a10b18c832f9a1668dfd2d2e622
SHA1

1b124dad73ee3005b47a0ea7ffcd6fcb7be3139a
SHA256

a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd
SHA512

954e62e3c8bf6f506aa8b87cdca1edcfcd49d085ea037873608f91ff71679d8fecfc0856c9716b247acc9e22837dad37dce88fe6dc8e03de93e5bef7f365f7d7
SSDEEP

12288:9s8I65X4f9cbWu/axAgPH7Yw+eVP3rn8jotmsa761N7toG2Rg:9RWuPubHVP3rmtsa7613sg

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1232	mshta.exe	31

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1720-58-0x0000000000400000-0x000000000047C000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-61-0x0000000000050000-0x0000000000110000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-64-0x0000000000050000-0x0000000000110000-memory.dmp	modiloader_stage2

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 268	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	27
PID 1720 wrote to memory of 268	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	27
PID 1720 wrote to memory of 268	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	27
PID 1720 wrote to memory of 268	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	27
PID 1720 wrote to memory of 668	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	29
PID 1720 wrote to memory of 668	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	29
PID 1720 wrote to memory of 668	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	29
PID 1720 wrote to memory of 668	1720	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	29
PID 1140 wrote to memory of 2024	1140	mshta.exe	33
PID 1140 wrote to memory of 2024	1140	mshta.exe	33
PID 1140 wrote to memory of 2024	1140	mshta.exe	33
PID 1140 wrote to memory of 2024	1140	mshta.exe	33
PID 2024 wrote to memory of 852	2024	powershell.exe	35
PID 2024 wrote to memory of 852	2024	powershell.exe	35
PID 2024 wrote to memory of 852	2024	powershell.exe	35
PID 2024 wrote to memory of 852	2024	powershell.exe	35

C:\Users\Admin\AppData\Local\Temp\a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
"C:\Users\Admin\AppData\Local\Temp\a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c /IM
  2⤵
  PID:668

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:Czsl7Ikbe="gfhenwV";VX9=new%20ActiveXObject("WScript.Shell");qi8gI7Zsl="XGv45xIXEh";LW60oI=VX9.RegRead("HKLM\\software\\Wow6432Node\\Gg2g26Xa\\VM2ecQ27");KGNEmyk8="h";eval(LW60oI);pQtsk5x="5OOzdh";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:fiqi
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 476
    3⤵
    PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1720-57-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1720-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1720-61-0x0000000000050000-0x0000000000110000-memory.dmp

Filesize
768KB

Download
memory/1720-63-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1720-64-0x0000000000050000-0x0000000000110000-memory.dmp

Filesize
768KB

Download
memory/2024-62-0x0000000072E10000-0x00000000733BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-65-0x0000000072E10000-0x00000000733BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing