modiloader | a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
Size

476KB
MD5

653d1a10b18c832f9a1668dfd2d2e622
SHA1

1b124dad73ee3005b47a0ea7ffcd6fcb7be3139a
SHA256

a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd
SHA512

954e62e3c8bf6f506aa8b87cdca1edcfcd49d085ea037873608f91ff71679d8fecfc0856c9716b247acc9e22837dad37dce88fe6dc8e03de93e5bef7f365f7d7
SSDEEP

12288:9s8I65X4f9cbWu/axAgPH7Yw+eVP3rn8jotmsa761N7toG2Rg:9RWuPubHVP3rmtsa7613sg

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2316	mshta.exe	45

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/5104-135-0x0000000000400000-0x000000000047C000-memory.dmp	modiloader_stage2
behavioral2/memory/5104-137-0x0000000000060000-0x0000000000120000-memory.dmp	modiloader_stage2
behavioral2/memory/5104-146-0x0000000000060000-0x0000000000120000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3588	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	84
PID 5104 wrote to memory of 3588	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	84
PID 5104 wrote to memory of 3588	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	84
PID 5104 wrote to memory of 344	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	86
PID 5104 wrote to memory of 344	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	86
PID 5104 wrote to memory of 344	5104	a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe	86
PID 4424 wrote to memory of 3740	4424	mshta.exe	95
PID 4424 wrote to memory of 3740	4424	mshta.exe	95
PID 4424 wrote to memory of 3740	4424	mshta.exe	95

C:\Users\Admin\AppData\Local\Temp\a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe
"C:\Users\Admin\AppData\Local\Temp\a61c98ea366af19c5b996674c2876d5a7f981e305342a0eaf0150b0ca6adf5bd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c /IM
  2⤵
  PID:344

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:Emt5uMc="3ib6y";Oy05=new%20ActiveXObject("WScript.Shell");cjiHtZ2zH="F3Dxeh";WUN5E=Oy05.RegRead("HKLM\\software\\Wow6432Node\\rMSexa\\gLyOZ5Pz9H");yoViUJw3="02ORa1mb13";eval(WUN5E);d5sYALl="md3J";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:lwvlopzq
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3740-144-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3740-148-0x00000000068C0000-0x00000000068DA000-memory.dmp

Filesize
104KB

Download
memory/3740-147-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/3740-139-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/3740-140-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/3740-145-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/3740-142-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/3740-143-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/5104-137-0x0000000000060000-0x0000000000120000-memory.dmp

Filesize
768KB

Download
memory/5104-141-0x0000000002990000-0x00000000029D2000-memory.dmp

Filesize
264KB

Download
memory/5104-146-0x0000000000060000-0x0000000000120000-memory.dmp

Filesize
768KB

Download
memory/5104-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5104-134-0x0000000002990000-0x00000000029D2000-memory.dmp

Filesize
264KB

Download