modiloader | 0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412

General

Target

0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
Size

432KB
MD5

925d3742d51d76734a7241adfe3ff059
SHA1

6c0eb873024fcfdf0863afa9de6c27c95b276712
SHA256

0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412
SHA512

ded3bbf8317677939a8449682e4151e9253efe87b8e2320f57e0dff8ac29c8957b1e4ff3b90d48c11523bb13e9f7585f237d4546c9d008a824aafe5485cf25d4
SSDEEP

6144:DBgh/58KGip9lmh0UwwDdxtPw13OyhFR8uHQaEFmgOds2RshSP1p7a1ZLcPR2GTs:DBMmKGnhDT+JlCraEFmgOFSwYA2G5rQ3

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1272-65-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1272-66-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1272-70-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1272-56-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1272-58-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1272-59-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1632-62-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1272-64-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1272-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1272-66-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1272-70-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1632-62-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
Token: SeBackupPrivilege	724	vssvc.exe
Token: SeRestorePrivilege	724	vssvc.exe
Token: SeAuditPrivilege	724	vssvc.exe
Token: SeDebugPrivilege	1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
1272	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28
PID 1632 wrote to memory of 1272	1632	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe	28

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
"C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
  "C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe"
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
33KB

MD5
1281d16fa3141bfe8562bf519d9148da

SHA1
8c19b1cf6c979b8960b451d073f83c6557c72d26

SHA256
c404b6e3bd67392768fcc1690767edad918bf3c0cc9f474ac93b90ef688be141

SHA512
d668a99327ea99519088fb8fcebda538c44819e51e7a79e3c8a20ee02c6715eda7f3636551bad1fcc92dd4a4054605776ee0feaac1b17a7c566b27d0b0100042

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1272-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-69-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1272-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1272-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1632-62-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads