modiloader | 39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1

General

Target

39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe
Size

237KB
MD5

17e2fcdbaf0724579c546d6ff79f33a2
SHA1

5fef56eee5488758b969685092213a42cb775463
SHA256

39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1
SHA512

0799ee12f6823f2e159adbb9815eabb45e97e474d518ce45305490708caa174a683d9f102d485caf04e8ff9bcd8141869ab3fd2d2b9be0c56ebac2644bbd0366
SSDEEP

3072:TGvo6giwpW9DGD2VdKvY/gIg/CtTIuOmxkiozXgeXdHwTBf4Wgczc+0ie/53H:TG377xS2Vp2CeiorXdwTBgWx4/53H

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1836	mstwain32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mstwain32.exe	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeDebugPrivilege	1836	mstwain32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1836	mstwain32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1836	916	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe	31
PID 916 wrote to memory of 1836	916	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe	31
PID 916 wrote to memory of 1836	916	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe	31
PID 916 wrote to memory of 1836	916	39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe
"C:\Users\Admin\AppData\Local\Temp\39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
237KB

MD5
17e2fcdbaf0724579c546d6ff79f33a2

SHA1
5fef56eee5488758b969685092213a42cb775463

SHA256
39bff9aa1a4551fe7c27316f4fb3bfe0634264901740e64204ae23d6146cebf1

SHA512
0799ee12f6823f2e159adbb9815eabb45e97e474d518ce45305490708caa174a683d9f102d485caf04e8ff9bcd8141869ab3fd2d2b9be0c56ebac2644bbd0366

Download Submit
memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads