modiloader | 3615f32cbdbaf020248a4cce6f67327dc796a9040a2e3ae8120c2efe96df7505

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch/Patch.exe
Size

132KB
MD5

92c47d3a0013fd2c1afe44806c7928e1
SHA1

fb0a3a8c611da88a1343f1deb3b7daa20527e924
SHA256

3d8c3c63612f5d27f8a4fca992b3a56a6af24033c390b0392e174a5cf7fe2364
SHA512

94332c13ce21a15500992246e0da1317c7372d075ac7d0606e1fb5f95225ea5f2cbecc50a6b7c0cc84e1c807b152d47a0517e959ca55b49beed8838f6c319155
SSDEEP

1536:KyADcqOQbB3fQc8Pfymg0yxpByxzRIt6HdzPesVyY6PbpMhCDmeohEt8T:HyVQtPfymg0sox9XUPbpWeURT

Score

10^/10

modiloader njrat evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022df8-133.dat	modiloader_stage2
behavioral2/files/0x0002000000022df8-134.dat	modiloader_stage2
behavioral2/files/0x0003000000022e00-142.dat	modiloader_stage2
behavioral2/files/0x0003000000022e00-143.dat	modiloader_stage2

Executes dropped EXE 5 IoCs

pid	Process
4412	FB_BA2D.tmp.exe
3764	FB_BD2B.tmp.exe
4880	FB_BD8A.tmp.exe
2592	AdobeUpdate.exe
620	DriverUpdate.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1956	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FB_BD2B.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Patch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FB_BA2D.tmp.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe	DriverUpdate.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe	DriverUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe"	AdobeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67b50313b3610dbbe66e30f19a1dbd14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DriverUpdate.exe\" .."	DriverUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\67b50313b3610dbbe66e30f19a1dbd14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DriverUpdate.exe\" .."	DriverUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe
620	DriverUpdate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	DriverUpdate.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4412	1536	Patch.exe	80
PID 1536 wrote to memory of 4412	1536	Patch.exe	80
PID 1536 wrote to memory of 4412	1536	Patch.exe	80
PID 1536 wrote to memory of 3764	1536	Patch.exe	81
PID 1536 wrote to memory of 3764	1536	Patch.exe	81
PID 1536 wrote to memory of 3764	1536	Patch.exe	81
PID 1536 wrote to memory of 4880	1536	Patch.exe	82
PID 1536 wrote to memory of 4880	1536	Patch.exe	82
PID 1536 wrote to memory of 4880	1536	Patch.exe	82
PID 4412 wrote to memory of 2592	4412	FB_BA2D.tmp.exe	83
PID 4412 wrote to memory of 2592	4412	FB_BA2D.tmp.exe	83
PID 4412 wrote to memory of 2592	4412	FB_BA2D.tmp.exe	83
PID 3764 wrote to memory of 620	3764	FB_BD2B.tmp.exe	84
PID 3764 wrote to memory of 620	3764	FB_BD2B.tmp.exe	84
PID 3764 wrote to memory of 620	3764	FB_BD2B.tmp.exe	84
PID 620 wrote to memory of 1956	620	DriverUpdate.exe	85
PID 620 wrote to memory of 1956	620	DriverUpdate.exe	85
PID 620 wrote to memory of 1956	620	DriverUpdate.exe	85

C:\Users\Admin\AppData\Local\Temp\Patch\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch\Patch.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
    "C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe" "DriverUpdate.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1956
- C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe

Filesize
43KB

MD5
2bcefd5742d3a2bf4526bbdb6a34dc62

SHA1
bb090faea7150efd4284ba14268e280e7775589e

SHA256
6b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0

SHA512
4787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe

Filesize
43KB

MD5
2bcefd5742d3a2bf4526bbdb6a34dc62

SHA1
bb090faea7150efd4284ba14268e280e7775589e

SHA256
6b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0

SHA512
4787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe

Filesize
41KB

MD5
a5208c8c1d9634ea4fa769eaeb03376a

SHA1
9eda60b3d317fbfc9624145f12309b009b1c71f3

SHA256
0a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea

SHA512
57063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe

Filesize
41KB

MD5
a5208c8c1d9634ea4fa769eaeb03376a

SHA1
9eda60b3d317fbfc9624145f12309b009b1c71f3

SHA256
0a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea

SHA512
57063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe

Filesize
43KB

MD5
2bcefd5742d3a2bf4526bbdb6a34dc62

SHA1
bb090faea7150efd4284ba14268e280e7775589e

SHA256
6b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0

SHA512
4787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe

Filesize
43KB

MD5
2bcefd5742d3a2bf4526bbdb6a34dc62

SHA1
bb090faea7150efd4284ba14268e280e7775589e

SHA256
6b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0

SHA512
4787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe

Filesize
22KB

MD5
1e38f75c9b7b6d685d2320871f58b1bc

SHA1
b24da2b212fe859ac1607e5120bb4897aeb8c4fa

SHA256
4610e253bee5602a8e3861e611eb16cd1a57abe59d87339c43ee66387d1fe0f4

SHA512
09dabb82313bbe0eb08e62056e57776569603c625ff8d8cf4ab1fa67960d686f89f27c51e02af49eba56e3b00bedb31a45d1380bc84827cd455b94aac2eefd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe

Filesize
22KB

MD5
1e38f75c9b7b6d685d2320871f58b1bc

SHA1
b24da2b212fe859ac1607e5120bb4897aeb8c4fa

SHA256
4610e253bee5602a8e3861e611eb16cd1a57abe59d87339c43ee66387d1fe0f4

SHA512
09dabb82313bbe0eb08e62056e57776569603c625ff8d8cf4ab1fa67960d686f89f27c51e02af49eba56e3b00bedb31a45d1380bc84827cd455b94aac2eefd11

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

Filesize
41KB

MD5
a5208c8c1d9634ea4fa769eaeb03376a

SHA1
9eda60b3d317fbfc9624145f12309b009b1c71f3

SHA256
0a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea

SHA512
57063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

Filesize
41KB

MD5
a5208c8c1d9634ea4fa769eaeb03376a

SHA1
9eda60b3d317fbfc9624145f12309b009b1c71f3

SHA256
0a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea

SHA512
57063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d

Download Submit
memory/620-151-0x0000000073E80000-0x0000000074431000-memory.dmp

Filesize
5.7MB

Download
memory/620-153-0x0000000073E80000-0x0000000074431000-memory.dmp

Filesize
5.7MB

Download
memory/3764-144-0x0000000073E80000-0x0000000074431000-memory.dmp

Filesize
5.7MB

Download
memory/3764-149-0x0000000073E80000-0x0000000074431000-memory.dmp

Filesize
5.7MB

Download
memory/4880-145-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/4880-152-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download