modiloader | b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f

General

Target

b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe
Size

270KB
MD5

6b4c24fe7123645f29dac956fc30ccdd
SHA1

8cb7006d641aa187b759db589e52558a0c1da60b
SHA256

b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f
SHA512

096122f41b169c1557dbfa182815a35a5effca8e5ce9dabe994cb8e3a4b1c8647740c5fa7b5e3a37a3d3214f1bdaffd2548d2c1c81b78b75f479cb909e29bc42
SSDEEP

6144:GzI8jZ7rvaU3+mWrhoSHOI8jZ7rvaU3+mWrhoSf:LeFzFYoSfeFzFYoSf

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	turcoteste.exe

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4568-139-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/664-145-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/664-146-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
664	turcoteste.exe
4568	turcoteste.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000022e05-135.dat	upx
behavioral2/files/0x000c000000022e05-136.dat	upx
behavioral2/files/0x000c000000022e05-138.dat	upx
behavioral2/memory/4568-139-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/664-145-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/664-146-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe

Loads dropped DLL 4 IoCs

pid	Process
664	turcoteste.exe
664	turcoteste.exe
664	turcoteste.exe
664	turcoteste.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	turcoteste.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	turcoteste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	turcoteste.exe
Token: SeDebugPrivilege	664	turcoteste.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe
664	turcoteste.exe
664	turcoteste.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 664	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	83
PID 2184 wrote to memory of 664	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	83
PID 2184 wrote to memory of 664	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	83
PID 2184 wrote to memory of 4568	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	84
PID 2184 wrote to memory of 4568	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	84
PID 2184 wrote to memory of 4568	2184	b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe	84

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	turcoteste.exe

C:\Users\Admin\AppData\Local\Temp\b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe
"C:\Users\Admin\AppData\Local\Temp\b900dd698fea206608791c55bd3708a61f215cbf1399fef5bc04695b400b8b8f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\turcoteste.exe
  "C:\turcoteste.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:664
- C:\turcoteste.exe
  "C:\turcoteste.exe"
  2⤵
  - Executes dropped EXE
  PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\cmsetac.dll

Filesize
33KB

MD5
5e5615bf986daae637ff047cec376413

SHA1
3df3dad6d4ee170410ee4fff1126f2c152393b58

SHA256
feebd7c290fb845f789c0216317fc9f98ed86ded6216a4c64d28cd274b8c13f2

SHA512
706bcec52abbabdd142635aa816bbbb104d729a5a97013b750f4986055bb065ee47c80f8fcbbaa3f4b1a4fb59856a0ce58e468881a02b3ca4f366fe6aa654f5a

Download Submit
C:\cmsetac.dll

Filesize
33KB

MD5
5e5615bf986daae637ff047cec376413

SHA1
3df3dad6d4ee170410ee4fff1126f2c152393b58

SHA256
feebd7c290fb845f789c0216317fc9f98ed86ded6216a4c64d28cd274b8c13f2

SHA512
706bcec52abbabdd142635aa816bbbb104d729a5a97013b750f4986055bb065ee47c80f8fcbbaa3f4b1a4fb59856a0ce58e468881a02b3ca4f366fe6aa654f5a

Download Submit
C:\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
C:\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
C:\turcoteste.exe

Filesize
111KB

MD5
838f91f542d9115992d32d4fdcdbdf92

SHA1
31d69c64fd2e34daeed66204cc2b6bea67bc1b36

SHA256
eba4e3b89aec1653460c3fbc6c04b370b18cb7758a41277dbac694a3ba834a44

SHA512
0c023ce20738aca8bb016bbbd04f14959bb4e89630920b1fd55ec86a3f49e056d58258af08a631398bfc0f5eb929b28bd9216d61492680a993db92f3e4e483d7

Download Submit
C:\turcoteste.exe

Filesize
111KB

MD5
838f91f542d9115992d32d4fdcdbdf92

SHA1
31d69c64fd2e34daeed66204cc2b6bea67bc1b36

SHA256
eba4e3b89aec1653460c3fbc6c04b370b18cb7758a41277dbac694a3ba834a44

SHA512
0c023ce20738aca8bb016bbbd04f14959bb4e89630920b1fd55ec86a3f49e056d58258af08a631398bfc0f5eb929b28bd9216d61492680a993db92f3e4e483d7

Download Submit
C:\turcoteste.exe

Filesize
111KB

MD5
838f91f542d9115992d32d4fdcdbdf92

SHA1
31d69c64fd2e34daeed66204cc2b6bea67bc1b36

SHA256
eba4e3b89aec1653460c3fbc6c04b370b18cb7758a41277dbac694a3ba834a44

SHA512
0c023ce20738aca8bb016bbbd04f14959bb4e89630920b1fd55ec86a3f49e056d58258af08a631398bfc0f5eb929b28bd9216d61492680a993db92f3e4e483d7

Download Submit
memory/664-144-0x00000000031C0000-0x00000000031CE000-memory.dmp

Filesize
56KB

Download
memory/664-145-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/664-146-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4568-139-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads