modiloader | 3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88

General

Target

3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
Size

110KB
MD5

6082c5122f636fe10751335399835c8f
SHA1

f26932e2e6536bdc71f35c55178ef2f2ead619c6
SHA256

3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88
SHA512

28626762d726d5a82a00f5815e66d9a45c33fac0784eac5508cb4f0dd6ee35bbe70ec12d30c8a902c177a1a8d7b4de9ff9896d516d72828c0af73c61e39b3f12
SSDEEP

3072:koy8j7VnNdrPHaSekwi+mW+2lxpm+Z81out:U8jZ7rvaU3+mWrjpz81oS

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/1028-55-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1028-56-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1028-60-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1504-61-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1504-63-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1504	mstwain32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-55-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1028-56-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/memory/1028-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1504-61-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1504-63-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
File opened for modification	C:\Windows\mstwain32.exe	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
Token: SeBackupPrivilege	2032	vssvc.exe
Token: SeRestorePrivilege	2032	vssvc.exe
Token: SeAuditPrivilege	2032	vssvc.exe
Token: SeDebugPrivilege	1504	mstwain32.exe
Token: SeDebugPrivilege	1504	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1504	mstwain32.exe
1504	mstwain32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1504	1028	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe	30
PID 1028 wrote to memory of 1504	1028	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe	30
PID 1028 wrote to memory of 1504	1028	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe	30
PID 1028 wrote to memory of 1504	1028	3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe
"C:\Users\Admin\AppData\Local\Temp\3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
110KB

MD5
6082c5122f636fe10751335399835c8f

SHA1
f26932e2e6536bdc71f35c55178ef2f2ead619c6

SHA256
3f73c338d5d3a65e2461ddc4c431836a77baf8282dddad7eedb825014eae7f88

SHA512
28626762d726d5a82a00f5815e66d9a45c33fac0784eac5508cb4f0dd6ee35bbe70ec12d30c8a902c177a1a8d7b4de9ff9896d516d72828c0af73c61e39b3f12

Download Submit
memory/1028-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1028-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1504-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1504-62-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1504-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads