modiloader | fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506

General

Target

fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
Size

235KB
MD5

5fcdf5c35a7cbe6a59524c1f0f328cfb
SHA1

a37be0a5af9e81ff97aaddad0c346dd80eb76b18
SHA256

fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506
SHA512

fa7c3d348326cb62264b252a78bea14b8c23ecd1d4a2574e7893b5212bbc9a1b9e8aa67f2a39c08b6a618459d59a57034031cf21bc3ffb4ffe0e751985998014
SSDEEP

3072:3Gvo6giwpW9DGD2VdKvY/gIg/CtTIuOmxkiozXgeXdHwTBf4Wgczc+0ieoM:3G377xS2Vp2CeiorXdwTBgWx4D

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/944-58-0x0000000000290000-0x000000000029B000-memory.dmp	acprotect

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000055d8-56.dat	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
944	mstwain32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/944-58-0x0000000000290000-0x000000000029B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
File opened for modification	C:\Windows\mstwain32.exe	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
Token: SeBackupPrivilege	372	vssvc.exe
Token: SeRestorePrivilege	372	vssvc.exe
Token: SeAuditPrivilege	372	vssvc.exe
Token: SeDebugPrivilege	944	mstwain32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	mstwain32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 944	1460	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe	30
PID 1460 wrote to memory of 944	1460	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe	30
PID 1460 wrote to memory of 944	1460	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe	30
PID 1460 wrote to memory of 944	1460	fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe
"C:\Users\Admin\AppData\Local\Temp\fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
235KB

MD5
5fcdf5c35a7cbe6a59524c1f0f328cfb

SHA1
a37be0a5af9e81ff97aaddad0c346dd80eb76b18

SHA256
fd163fd39079c61bd16fc6d78e653289400443b771e28b0b15c8bb0e9ca38506

SHA512
fa7c3d348326cb62264b252a78bea14b8c23ecd1d4a2574e7893b5212bbc9a1b9e8aa67f2a39c08b6a618459d59a57034031cf21bc3ffb4ffe0e751985998014

Download Submit
memory/944-58-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads