modiloader | 430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0

Analysis

max time kernel
88s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revised Enquiry.exe
Size

793KB
MD5

9a8aed85e68f62b931e430cdf467d84a
SHA1

9928c00afdb391518123911181af30bf054cf56c
SHA256

430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
SHA512

8f643eaa2455f3fbca39869888987ad3e21b974073978d9eb82d93bf4c49726d4acb579280de90fcf3a3d215dfeba1cd494f76447b563b17e6959b233d51539f
SSDEEP

12288:VV2cbnbazcd5JluSVVvkYhrN+k3t+kXPqTdTB2O4rwSMpxwhxStY5:V4cnOcd53uSVVJRsk3QWq5oOqLM2xS+5

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1VYeqnIRBP80Vu3udEWt23pq_2mnbwUeG

Extracted

Family

warzonerat

victorycolum.ddns.net:8585

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-55-0x00000000004D0000-0x00000000004FC000-memory.dmp	modiloader_stage2

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1588-89-0x0000000010670000-0x00000000107C6000-memory.dmp	warzonerat
behavioral1/memory/1588-90-0x0000000002E50000-0x0000000002FA4000-memory.dmp	warzonerat
behavioral1/memory/1588-91-0x0000000002E50000-0x0000000002FA4000-memory.dmp	warzonerat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1660 powershell.exe
6 1660 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

easinvoker.exeeasinvoker.exe

pid process

1644 easinvoker.exe
1576 easinvoker.exe

flow	pid	process
4	1660	powershell.exe
6	1660	powershell.exe

pid	process
1644	easinvoker.exe
1576	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Revised Enquiry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pdlrkiim = "C:\\Users\\Public\\Libraries\\miikrldP.url"	Revised Enquiry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

608 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeRevised Enquiry.exe

pid process

1660 powershell.exe
1600 Revised Enquiry.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1660 powershell.exe

pid	process
608	PING.EXE

pid	process
1660	powershell.exe
1600	Revised Enquiry.exe

description	pid	process
Token: SeDebugPrivilege	1660	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

Revised Enquiry.execmd.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1020	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1020	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1020	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1020	1600	Revised Enquiry.exe	cmd.exe
PID 1020 wrote to memory of 1660	1020	cmd.exe	powershell.exe
PID 1020 wrote to memory of 1660	1020	cmd.exe	powershell.exe
PID 1020 wrote to memory of 1660	1020	cmd.exe	powershell.exe
PID 1020 wrote to memory of 1660	1020	cmd.exe	powershell.exe
PID 1600 wrote to memory of 1084	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	Revised Enquiry.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	Revised Enquiry.exe	cmd.exe
PID 1084 wrote to memory of 1880	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1880	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1880	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1880	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 304	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 304	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 304	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 304	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 644	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 644	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 644	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 644	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 740	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 740	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 740	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 740	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1836	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 1836	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 1836	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 1836	1084	cmd.exe	xcopy.exe
PID 1084 wrote to memory of 608	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 608	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 608	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 608	1084	cmd.exe	PING.EXE
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe
PID 1600 wrote to memory of 1588	1600	Revised Enquiry.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\Revised Enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Enquiry.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\Libraries\png.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\Libraries\PdlrkiimO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:644
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:1836
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:1644
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 6
    3⤵
    - Runs ping.exe
    PID:608
- C:\Windows\SysWOW64\colorcpl.exe
  C:\Windows\System32\colorcpl.exe
  2⤵
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\PdlrkiimO.bat

Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
108KB

MD5
a800effc5290ed4d6869ee2fe0acb96c

SHA1
08b9a4a6e84c99670e08fd0a0036790cd09d5c00

SHA256
8fcee46630ac35d7757a30701098b23c00e6ee80eafa836c71a23312826f7963

SHA512
aa2526533e0b8408445a9af3cd29f67c4d5313281de76227951741b67ce21caf47c9775e0c79b663ea6187c6891a587ed6fe51a8fd61f65193da69cc2ba4a654

Download Submit
C:\Users\Public\Libraries\png

Filesize
354KB

MD5
34868aec8f4a869e2d5f4ec754f37f68

SHA1
ad4ca624c07cd6e51b785d2dc51df91c439db945

SHA256
1a7e2c4093d25180e3eefcecc15503dca8fb9c05235766d1f151fba5a30dabba

SHA512
f222c9b0e82b38b903f80c6e9ced74eef2c0cc6de775b59f64e80caf9d0b0ad00d2e099d481ced6e4a0468b6a6a59eae92fc6cd22103aa3c2fafb79b4508f670

Download Submit
C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
213B

MD5
182aa3627ab898f7022c5b9a40733e3d

SHA1
9cd0b3ae83ec53e1ed9fbd41ebd33dc7ddc8b613

SHA256
dd6497297dd7101ad08cda68b64e342d088d174b54e7f562d2bb0df0f010318a

SHA512
020db17bd62235bc6765d33ecace7559c4fb7df9c89ddc2245a381dd70414448472652522c45a5bc03fc0d8588cf69ce4bc10bfee6c9d67fc959cfdd78d8aedb

Download Submit
C:\Windows \System32\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\netutils.dll

Filesize
108KB

MD5
a800effc5290ed4d6869ee2fe0acb96c

SHA1
08b9a4a6e84c99670e08fd0a0036790cd09d5c00

SHA256
8fcee46630ac35d7757a30701098b23c00e6ee80eafa836c71a23312826f7963

SHA512
aa2526533e0b8408445a9af3cd29f67c4d5313281de76227951741b67ce21caf47c9775e0c79b663ea6187c6891a587ed6fe51a8fd61f65193da69cc2ba4a654

Download Submit
memory/304-68-0x0000000000000000-mapping.dmp

Download
memory/608-80-0x0000000000000000-mapping.dmp

Download
memory/644-70-0x0000000000000000-mapping.dmp

Download
memory/740-71-0x0000000000000000-mapping.dmp

Download
memory/1020-57-0x0000000000000000-mapping.dmp

Download
memory/1084-65-0x0000000000000000-mapping.dmp

Download
memory/1588-83-0x0000000000000000-mapping.dmp

Download
memory/1588-91-0x0000000002E50000-0x0000000002FA4000-memory.dmp

Filesize
1.3MB

Download
memory/1588-90-0x0000000002E50000-0x0000000002FA4000-memory.dmp

Filesize
1.3MB

Download
memory/1588-89-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1588-87-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1600-86-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x00000000004D0000-0x00000000004FC000-memory.dmp

Filesize
176KB

Download
memory/1600-85-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1660-63-0x0000000073310000-0x00000000738BB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-61-0x0000000073310000-0x00000000738BB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-59-0x0000000000000000-mapping.dmp

Download
memory/1836-74-0x0000000000000000-mapping.dmp

Download
memory/1880-67-0x0000000000000000-mapping.dmp

Download
memory/2028-73-0x0000000000000000-mapping.dmp

Download