modiloader | d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8

General

Target

d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe
Size

414KB
MD5

69c640721d56e29dde88a6015ee316ad
SHA1

d2ac02e3dec5a5d54ef59ddada7c42aa4acbe411
SHA256

d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8
SHA512

6a78c4d04012a421832e8bd85fc071736a48be54e8b2bbff36642838da854d5c30053dc30f42f11ec75c72e15a1ec17c3f9eae8749ac9b0089c839be7d8da957
SSDEEP

6144:IKrxiyLvmWVXGlbA24ZjUPcajcUAOmhKo6iYK32FLUSdlFh6w4/nIVgcHw:VtLXh+owPcajlmh11M3ZUw4/DcQ

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/files/0x00060000000142d6-55.dat	modiloader_stage2
behavioral1/files/0x00060000000142d6-58.dat	modiloader_stage2
behavioral1/files/0x00060000000142d6-56.dat	modiloader_stage2
behavioral1/files/0x00060000000142d6-60.dat	modiloader_stage2
behavioral1/files/0x00060000000142d6-61.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-63.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2028	server.exe
984	mstwain32.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe
2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe
2028	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	server.exe
File opened for modification	C:\Windows\mstwain32.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	server.exe
Token: SeBackupPrivilege	1732	vssvc.exe
Token: SeRestorePrivilege	1732	vssvc.exe
Token: SeAuditPrivilege	1732	vssvc.exe
Token: SeDebugPrivilege	984	mstwain32.exe
Token: SeDebugPrivilege	984	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
984	mstwain32.exe
984	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2028	2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe	27
PID 2000 wrote to memory of 2028	2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe	27
PID 2000 wrote to memory of 2028	2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe	27
PID 2000 wrote to memory of 2028	2000	d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe	27
PID 2028 wrote to memory of 984	2028	server.exe	32
PID 2028 wrote to memory of 984	2028	server.exe	32
PID 2028 wrote to memory of 984	2028	server.exe	32
PID 2028 wrote to memory of 984	2028	server.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe
"C:\Users\Admin\AppData\Local\Temp\d69fa812e0f838aed138fd42c00d23d531a70710687f36cbd954bdec77d4faf8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
C:\Windows\mstwain32.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
270KB

MD5
8b6c9f098b0a4d99ddf2b62fb6f93878

SHA1
4ae585cdbba74df272d602c3a7e23c5e425ceb6d

SHA256
acff69472697cb2a32a6b9fe6b6e7dfc2f28cd8785ea028982a60f799ac3a41a

SHA512
7a4ac40edf0167d609ab57da2327bdc49f2b9349f98bc47c12bcae1b18ba190997e2a452662ae891a1263a0da7bed27ddefbb99559f699380f85c94b2212b6c3

Download Submit
memory/984-65-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2000-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads