modiloader | 20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f

General

Target

20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
Size

110KB
MD5

e166fb94ed630e8c28b9d8d7c075ac5e
SHA1

787f78ecf6ff5464bf0caf50ab9d66853ca194d4
SHA256

20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f
SHA512

31bf35af5be5b7d1436cc4689574be0187c7448844caa67e54c124ad621db6141573510f4d7387dc4e2ead9eb62501895883026828ce928e055b560a4370460a
SSDEEP

1536:GVuNAXTj4Fj/91/NnLZqeWEPVpa8DzePjkgcwYS7S5+Vfk09+2v/oozy1tnouy8:koy8j7VnNdrPHaSekwi+mW+2Yo+bout

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1404-55-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-55-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe"	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
Token: SeBackupPrivilege	1540	vssvc.exe
Token: SeRestorePrivilege	1540	vssvc.exe
Token: SeAuditPrivilege	1540	vssvc.exe
Token: SeDebugPrivilege	1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
1404	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe

C:\Users\Admin\AppData\Local\Temp\20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe
"C:\Users\Admin\AppData\Local\Temp\20dbc1faf66da02f01d32ac9833e5a028f7d388afebc0c04f38f29e06e32bc6f.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
33KB

MD5
a68584e105a94be86cf823bee1eac759

SHA1
0c83edd6e22c756a6c3ba91d6dc7b32e3db7fbfa

SHA256
2b500b4be7ee4021f0553f68223f183dbc230be2e1ba6bd8bc36a7887d18cf2b

SHA512
1c106f9a4e7eb5571f3123d6bafa49cc938749bbfced5a3d1baf8b60497cf7bcd9820e77101b168fae4e37d612bcc40a294c62141af1c0099843aaeb241a524f

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1404-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1404-58-0x0000000001D80000-0x0000000001D8E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads