modiloader | a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237

General

Target

a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
Size

380KB
MD5

1ab27b63c1a49193f4b2f1f9554ca91b
SHA1

a746201024f0cd21e1d10f4d435510e3f4de33d2
SHA256

a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237
SHA512

03d41630e4d4cae5058ad3e9080e53e1657c1f1bae2503410551656cbc1e575b06f8828189ead40e1f96eb7a85bb5e292f2ebea952cc362a7ef6c61d7c2a9af5
SSDEEP

6144:Hk8u7jp9fQ6u+JUuWj2bL30ct3PUgXjgc/kS8vyiYESWT5kLo8Xb0FAFnQslaHu3:UplTUJ2bLkct3s1c/kS8vyiYMT5kLoWt

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1736-59-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2032	java.exe
752	java.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1852	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe	java.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe	java.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
2032	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .."	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .."	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
752	java.exe
752	java.exe
752	java.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	java.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 1736 wrote to memory of 2032	1736	a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe	28
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 2032 wrote to memory of 752	2032	java.exe	29
PID 752 wrote to memory of 1852	752	java.exe	30
PID 752 wrote to memory of 1852	752	java.exe	30
PID 752 wrote to memory of 1852	752	java.exe	30
PID 752 wrote to memory of 1852	752	java.exe	30

C:\Users\Admin\AppData\Local\Temp\a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
"C:\Users\Admin\AppData\Local\Temp\a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\java.exe
  "C:\Users\Admin\AppData\Local\Temp\java.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\java.exe
    "C:\Users\Admin\AppData\Roaming\java.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\java.exe" "java.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
\Users\Admin\AppData\Local\Temp\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
\Users\Admin\AppData\Roaming\java.exe

Filesize
47KB

MD5
06567cf94124d86ea7f90aeb16eafc08

SHA1
0b26fddc27138a15a404e1d969c8476253e0d48d

SHA256
1edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4

SHA512
3dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17

Download Submit
memory/752-74-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/752-72-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1736-63-0x0000000001D41000-0x0000000001D45000-memory.dmp

Filesize
16KB

Download
memory/1736-62-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1736-61-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1736-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1736-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/2032-71-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing