modiloader | 5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34

General

Target

5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
Size

614KB
MD5

64c4b060401081eb18598792c6cab6b9
SHA1

ff1ee61e848a5ae6ae3e7c34bd5c7ae7ed965dab
SHA256

5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34
SHA512

11730fd2df071641c1554a3e0f48e5784bec89f2d00216565fe3c966d40c562429563921bae38d422c9be63ba3c045fc17492dd2f908cdfd0fd82a0849fe9c0a
SSDEEP

12288:iutrzh9xOXkyPaZf7eClizFGi4bOM/aKjhSVaiknpeOzR/0Oqvr0FJUL+LNinxg:iutr5OUyP0zeAAFG9H/aiSVaTpeYhzqW

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/files/0x000b000000022e00-134.dat	modiloader_stage2
behavioral2/files/0x000b000000022e00-133.dat	modiloader_stage2
behavioral2/files/0x000b000000022e00-137.dat	modiloader_stage2
behavioral2/files/0x0007000000022e2d-146.dat	modiloader_stage2
behavioral2/files/0x0007000000022e2d-145.dat	modiloader_stage2
behavioral2/files/0x0007000000022e2d-149.dat	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
3384	ptpmcc.exe
4220	ptpmcc.exe
1464	nvvdir.exe
1608	nvvdir.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ptpmcc.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe	ptpmcc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe:Zone.Identifier	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3384 set thread context of 4220	3384	ptpmcc.exe	84
PID 1464 set thread context of 1608	1464	nvvdir.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3384	4788	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	83
PID 4788 wrote to memory of 3384	4788	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	83
PID 4788 wrote to memory of 3384	4788	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	83
PID 3384 wrote to memory of 4220	3384	ptpmcc.exe	84
PID 3384 wrote to memory of 4220	3384	ptpmcc.exe	84
PID 3384 wrote to memory of 4220	3384	ptpmcc.exe	84
PID 3384 wrote to memory of 4220	3384	ptpmcc.exe	84
PID 3384 wrote to memory of 4220	3384	ptpmcc.exe	84
PID 4220 wrote to memory of 1744	4220	ptpmcc.exe	85
PID 4220 wrote to memory of 1744	4220	ptpmcc.exe	85
PID 4220 wrote to memory of 1744	4220	ptpmcc.exe	85
PID 4220 wrote to memory of 1464	4220	ptpmcc.exe	86
PID 4220 wrote to memory of 1464	4220	ptpmcc.exe	86
PID 4220 wrote to memory of 1464	4220	ptpmcc.exe	86
PID 1464 wrote to memory of 1608	1464	nvvdir.exe	87
PID 1464 wrote to memory of 1608	1464	nvvdir.exe	87
PID 1464 wrote to memory of 1608	1464	nvvdir.exe	87
PID 1464 wrote to memory of 1608	1464	nvvdir.exe	87
PID 1464 wrote to memory of 1608	1464	nvvdir.exe	87

C:\Users\Admin\AppData\Local\Temp\5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
"C:\Users\Admin\AppData\Local\Temp\5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe
  "C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe
    "C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C echo>"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe:Zone.Identifier"
      4⤵
      Drops startup file
      PID:1744
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe"
        5⤵
        Executes dropped EXE
        
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info300.xda

Filesize
39B

MD5
457fec66679f39ce2c1397241514cd92

SHA1
ca450296c8c9936837cf8b144dd463d9bfc51fe9

SHA256
01c7e8936ab6b5aae31b84977eb0498623ee0fc70b80a3e3baceb3164d364219

SHA512
6f26234577589095c81e2bc0cded79e22924c32f6710bef344b0183d10cc5953d323bf03d63c1075500d7235148125519b1d9eb0f8ac41ee478ff1c33446d386

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\info300.xda

Filesize
39B

MD5
457fec66679f39ce2c1397241514cd92

SHA1
ca450296c8c9936837cf8b144dd463d9bfc51fe9

SHA256
01c7e8936ab6b5aae31b84977eb0498623ee0fc70b80a3e3baceb3164d364219

SHA512
6f26234577589095c81e2bc0cded79e22924c32f6710bef344b0183d10cc5953d323bf03d63c1075500d7235148125519b1d9eb0f8ac41ee478ff1c33446d386

Download Submit
memory/1608-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1608-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing