modiloader | 8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9

General

Target

8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe
Size

622KB
MD5

6cd6afb063e79f1a6fd50c89e4f37350
SHA1

ea49be99110258187e47c7dc407145cfd18e3a5e
SHA256

8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9
SHA512

5964846742848ece921c171a8d107b0afac0479e619c48b6563e5ead993468f49ffeed4a44013269c0e8ef4cd0b6aebf86027344f7681805128cb5eaf1eb859c
SSDEEP

12288:GVhUPFUX2PYtPNJvfEGopcHySFdHKDOgwsngQwwlWhGf0zl+arC:G7UPFUGP6JfEGoCHFFdHOfn5wwlqGf5z

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4472-144-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
4472	uninstsq.exe
4640	huan.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022f34-138.dat	upx
behavioral2/files/0x0009000000022f34-139.dat	upx
behavioral2/memory/4640-143-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4640-145-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	uninstsq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\huan.exe"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.ExternalNSHandler\Clsid	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ProgID	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.eBookNSHandler	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ = "ExternalNSHandler"	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.ExternalNSHandler\Clsid\ = "{D173E10A-001D-4318-9822-8C97A8418482}"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.eBookNSHandler\Clsid	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ProgID\ = "huan.ExternalNSHandler"	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ = "eBookNSHandler"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\LocalServer32	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.eBookNSHandler\ = "eBookNSHandler"	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ProgID\ = "huan.eBookNSHandler"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\LocalServer32	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.ExternalNSHandler	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.ExternalNSHandler\ = "ExternalNSHandler"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\huan.exe"	huan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\huan.eBookNSHandler\Clsid\ = "{9C453F21-396D-11D5-9734-70E252C10127}"	huan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ProgID	huan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4640	huan.exe
4640	huan.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4472	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	80
PID 4596 wrote to memory of 4472	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	80
PID 4596 wrote to memory of 4472	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	80
PID 4596 wrote to memory of 4640	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	81
PID 4596 wrote to memory of 4640	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	81
PID 4596 wrote to memory of 4640	4596	8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe	81
PID 4472 wrote to memory of 2720	4472	uninstsq.exe	82
PID 4472 wrote to memory of 2720	4472	uninstsq.exe	82

C:\Users\Admin\AppData\Local\Temp\8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe
"C:\Users\Admin\AppData\Local\Temp\8ee943ff614abcb79e9c50b0ca7a6f310b1fb90651645ffdf72effb329fe2df9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\uninstsq.exe
  "C:\Users\Admin\AppData\Local\Temp\uninstsq.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\huan.exe
  "C:\Users\Admin\AppData\Local\Temp\huan.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\huan.exe

Filesize
290KB

MD5
2ec96c1028047400f9526ed091371711

SHA1
f1c96171c862f203b26ea1d20ab23ff74e42f15a

SHA256
bc879649b1ce3aa472db3821fa4794c8aeadace28a332defecf8a47f42ec385f

SHA512
5dab95a35125e8868175ebe472a03987516b206e9766f6fe970ceb100c438ab78608beb46adb950d55f5b2c3e000a2f78e904adcddbe8c61690ff91e3a0b9459

Download Submit
C:\Users\Admin\AppData\Local\Temp\huan.exe

Filesize
290KB

MD5
2ec96c1028047400f9526ed091371711

SHA1
f1c96171c862f203b26ea1d20ab23ff74e42f15a

SHA256
bc879649b1ce3aa472db3821fa4794c8aeadace28a332defecf8a47f42ec385f

SHA512
5dab95a35125e8868175ebe472a03987516b206e9766f6fe970ceb100c438ab78608beb46adb950d55f5b2c3e000a2f78e904adcddbe8c61690ff91e3a0b9459

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstsq.exe

Filesize
310KB

MD5
679bfd3cb3068feb398c360b85714261

SHA1
824d572e847cb2ffec3edb396050fae30cfce9c2

SHA256
5982ff476d49a72525f4c5cfa5b6d6310528fa2f856d14507cdaf74d04c743e0

SHA512
57ac02f912fe05a1b64ef652d8c9d7ca509fcfbbd32b8565d571fcea95eae04e847f81ba51f8dd4d9377d8018818c56dc999c801e9e44313a33840318e40e2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstsq.exe

Filesize
310KB

MD5
679bfd3cb3068feb398c360b85714261

SHA1
824d572e847cb2ffec3edb396050fae30cfce9c2

SHA256
5982ff476d49a72525f4c5cfa5b6d6310528fa2f856d14507cdaf74d04c743e0

SHA512
57ac02f912fe05a1b64ef652d8c9d7ca509fcfbbd32b8565d571fcea95eae04e847f81ba51f8dd4d9377d8018818c56dc999c801e9e44313a33840318e40e2a0

Download Submit
memory/4472-141-0x00000000007E0000-0x00000000007E4000-memory.dmp

Filesize
16KB

Download
memory/4472-142-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4472-144-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4596-133-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4596-140-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4596-132-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4640-143-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4640-145-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing