modiloader | 62184398a535b5aa0ccd7457470cdb9ab4fc22aaaed11a19cef2ddba8d75eaf5

Analysis

max time kernel
97s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6b2d57e8ce70dae5585a096e2e17619.exe
Size

524KB
MD5

c6b2d57e8ce70dae5585a096e2e17619
SHA1

a61e6e668205f7fbdd2bc03dbd9e1ae85c9af241
SHA256

62184398a535b5aa0ccd7457470cdb9ab4fc22aaaed11a19cef2ddba8d75eaf5
SHA512

91c8895086107b72f48988ed807518630529646df26c094e4c4251ef58dc7a099bd59760c92f5ebaf9359d8e5196a4bfd1e3ced0dd8cb0634d0c27bbb8036f23
SSDEEP

6144:PHoex1r1iKzGkYj+eNnHNvdySJbsSt+c4yR83tahDYz2aUIsR3GiXMj9KpJzLIW:/bL6k2+Ak6+hyy3E0bUBR3G2LIW

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 360 mshta.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	360	mshta.exe

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1696-132-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral2/memory/1696-133-0x0000000000400000-0x000000000048C1E8-memory.dmp	modiloader_stage2
behavioral2/memory/1696-134-0x0000000000400000-0x000000000048C1E8-memory.dmp	modiloader_stage2
behavioral2/memory/1696-135-0x0000000002480000-0x000000000255C000-memory.dmp	modiloader_stage2
behavioral2/memory/1696-136-0x0000000002480000-0x000000000255C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3088 powershell.exe
3088 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3088 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c6b2d57e8ce70dae5585a096e2e17619.exe

pid process

1696 c6b2d57e8ce70dae5585a096e2e17619.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
3088	powershell.exe
3088	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3088	powershell.exe

pid	process
1696	c6b2d57e8ce70dae5585a096e2e17619.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2024 wrote to memory of 3088	2024	mshta.exe	powershell.exe
PID 2024 wrote to memory of 3088	2024	mshta.exe	powershell.exe
PID 2024 wrote to memory of 3088	2024	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c6b2d57e8ce70dae5585a096e2e17619.exe
"C:\Users\Admin\AppData\Local\Temp\c6b2d57e8ce70dae5585a096e2e17619.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:ydp6m="a1OP";a34J=new%20ActiveXObject("WScript.Shell");YMD5TQ="YaWHQ";ZaSX0=a34J.RegRead("HKCU\\software\\Ibyn6q7\\SQdpKN");kW7LpvzG="hxvhC";eval(ZaSX0);Z9IWFFrH="axcipuf";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ofxhviq
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-133-0x0000000000400000-0x000000000048C1E8-memory.dmp

Filesize
560KB

Download
memory/1696-134-0x0000000000400000-0x000000000048C1E8-memory.dmp

Filesize
560KB

Download
memory/1696-135-0x0000000002480000-0x000000000255C000-memory.dmp

Filesize
880KB

Download
memory/1696-136-0x0000000002480000-0x000000000255C000-memory.dmp

Filesize
880KB

Download
memory/3088-138-0x0000000000000000-mapping.dmp

Download
memory/3088-139-0x0000000005390000-0x00000000053C6000-memory.dmp

Filesize
216KB

Download
memory/3088-140-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/3088-141-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/3088-142-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/3088-143-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3088-144-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/3088-145-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/3088-146-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download