modiloader | b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226

Analysis

max time kernel
142s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
Size

350KB
MD5

33e4035e409d8b1f24f6dbb42fbac637
SHA1

b1f91d896bf59b434cc164ea8dd440a82edbb543
SHA256

b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226
SHA512

7a68fe0be6e4ff29de7d9e563ddd3506d30a84fc76e1b57cc382db9043d54b44a5d61ad90352f1e8a957bc4b707e89584711ebfcbee926eed5d6a7df4002e08d
SSDEEP

6144:vZFPzNJtUTidCOKQzHaHXrFnk8iEgxeBgOCF+dg384dyzKX/GUaokGd:vvPzNJtUTidCMa3Rnk8iHxeBcggdszKh

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4864	mshta.exe	83

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4208-133-0x0000000000400000-0x000000000045D000-memory.dmp	modiloader_stage2
behavioral2/memory/4208-134-0x0000000002900000-0x00000000029C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4208-145-0x0000000002900000-0x00000000029C0000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	powershell.exe
4168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4168	1044	mshta.exe	85
PID 1044 wrote to memory of 4168	1044	mshta.exe	85
PID 1044 wrote to memory of 4168	1044	mshta.exe	85

C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
"C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe"
1⤵
PID:4208

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:zlNt0U4zqT="xOYUjE4QI";l6m=new%20ActiveXObject("WScript.Shell");gDgJkL96FL="ENF7g0h";QsI5F9=l6m.RegRead("HKLM\\software\\Wow6432Node\\6c11Ci\\wnsWfoW9");yxTzAi49K="B8e";eval(QsI5F9);MYLbfQ35x="BZI";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:tcej
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4168-139-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/4168-137-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download
memory/4168-138-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/4168-140-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4168-141-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4168-142-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/4168-143-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/4168-144-0x0000000006C40000-0x0000000006C5A000-memory.dmp

Filesize
104KB

Download
memory/4208-133-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4208-134-0x0000000002900000-0x00000000029C0000-memory.dmp

Filesize
768KB

Download
memory/4208-132-0x0000000002440000-0x0000000002468000-memory.dmp

Filesize
160KB

Download
memory/4208-145-0x0000000002900000-0x00000000029C0000-memory.dmp

Filesize
768KB

Download