modiloader | ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a

General

Target

ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe
Size

46KB
MD5

0a93986762f4ccb1a7460847c37e0ba8
SHA1

51dbce0649429c1c8635eaa1cd4450ce0eb382b1
SHA256

ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a
SHA512

8627b790b1b9a7628c3f76be40ede209ce6bf584121d659d628c90cdb9701c18328691f7279bdee40f6a2481ec1579ad30e20ea42ba8a38c7a60030a39850b5b
SSDEEP

768:GC38NcRIQbDY5XlKZ/FrR2YC0UzS8+1FO6vJGmrD74kTK6N1Q30ign:GCGcRjbrtCmF9HRKw+gn

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022df5-133.dat	modiloader_stage2
behavioral2/files/0x0009000000022df5-134.dat	modiloader_stage2
behavioral2/files/0x0009000000022df5-138.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
3768	Systemloader.exe
3500	Systemloader.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3500-137-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3500-140-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3500-141-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3500-142-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\microsoft\windows\currentversion\run	Systemloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kiss = "C:\\Systemloader.exe"	Systemloader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 3500	3768	Systemloader.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3768	3916	ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe	79
PID 3916 wrote to memory of 3768	3916	ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe	79
PID 3916 wrote to memory of 3768	3916	ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe	79
PID 3768 wrote to memory of 3500	3768	Systemloader.exe	80
PID 3768 wrote to memory of 3500	3768	Systemloader.exe	80
PID 3768 wrote to memory of 3500	3768	Systemloader.exe	80
PID 3768 wrote to memory of 3500	3768	Systemloader.exe	80
PID 3768 wrote to memory of 3500	3768	Systemloader.exe	80

C:\Users\Admin\AppData\Local\Temp\ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe
"C:\Users\Admin\AppData\Local\Temp\ad6884a51b3bbec490fcda72f0d20c885477a0e3338765fec85184f5b58c304a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Systemloader.exe
  "C:\Systemloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Systemloader.exe
    C:\Systemloader.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Support.Scr

Filesize
3KB

MD5
8550988643e60e8529cddcc833bd20f7

SHA1
9bcf1519ee9cfb989ff04ee012176b1c3da4c85a

SHA256
0c55281359a24f62daa5c0a572520577d6a042798f7c2672eae681ddcfb40271

SHA512
f2a74cb09661a646391f37044507c3255db682be0d7e36bc17a78848a33e290fe7af5c1295116bd9eaec6e0844beba4ed01dfb5dfd001f833abcd51c05516896

Download Submit
C:\Systemloader.exe

Filesize
22KB

MD5
1b58ac36575d9c69123aaba7aef86e8a

SHA1
21146726066641d70a3f800d339b428f8042f714

SHA256
b632e67b6e4b6c417c3e39e1c15ca2762158a01e81a3e5e1157ec6acd379779f

SHA512
503ab01530714abf076f786e397e14b0c08e31fe3e3bcb6a0e38c2c767e65cb5c5755f131c426ce290a7bfe73876a3c36225da258db2ca4a5dc583d4aca0af6e

Download Submit
C:\Systemloader.exe

Filesize
22KB

MD5
1b58ac36575d9c69123aaba7aef86e8a

SHA1
21146726066641d70a3f800d339b428f8042f714

SHA256
b632e67b6e4b6c417c3e39e1c15ca2762158a01e81a3e5e1157ec6acd379779f

SHA512
503ab01530714abf076f786e397e14b0c08e31fe3e3bcb6a0e38c2c767e65cb5c5755f131c426ce290a7bfe73876a3c36225da258db2ca4a5dc583d4aca0af6e

Download Submit
C:\Systemloader.exe

Filesize
22KB

MD5
1b58ac36575d9c69123aaba7aef86e8a

SHA1
21146726066641d70a3f800d339b428f8042f714

SHA256
b632e67b6e4b6c417c3e39e1c15ca2762158a01e81a3e5e1157ec6acd379779f

SHA512
503ab01530714abf076f786e397e14b0c08e31fe3e3bcb6a0e38c2c767e65cb5c5755f131c426ce290a7bfe73876a3c36225da258db2ca4a5dc583d4aca0af6e

Download Submit
memory/3500-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3500-140-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3500-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3500-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing