modiloader | e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f

General

Target

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
Size

632KB
MD5

06e73af160595e9fd8bbbd8148383822
SHA1

0bd1076636895974c6d3a68bb909401ad3a4af5a
SHA256

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f
SHA512

8dd8bb15328d519cab51923ed8cad4a27ec16ad5c08c96ba9e9777effd97356fec8d262be152c331afe50690ec7574a0d8ffa2373ff6168b3291f4878e718ff9
SSDEEP

12288:YHLUMuiv9RgfSjAzRtyQpxrlcyfpZ1e+gWvr4PNqGIk:itARXvruKZ1e+gWviwk

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-59-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-61-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-63-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-64-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-66-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-69-0x0000000000430464-mapping.dmp	modiloader_stage2
behavioral1/memory/1948-68-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-70-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-73-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1948-74-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1352-91-0x0000000000000000-mapping.dmp	modiloader_stage2
behavioral1/memory/1948-96-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1352-98-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1352-100-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1352-101-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

mstwain32.exemstwain32.exe

pid process

360 mstwain32.exe
1352 mstwain32.exe

pid	process
360	mstwain32.exe
1352	mstwain32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1184-55-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/1184-71-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
C:\Windows\mstwain32.exe	upx
C:\Windows\mstwain32.exe	upx
C:\Windows\mstwain32.exe	upx
behavioral1/memory/360-94-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mstwain32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exemstwain32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1184-71-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/360-94-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe

description	pid	process	target process
PID 1184 set thread context of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe

Drops file in Windows directory 4 IoCs

Processes:

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exemstwain32.exe

description	ioc	process
File created	C:\Windows\mstwain32.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
File opened for modification	C:\Windows\mstwain32.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exevssvc.exemstwain32.exe

description	pid	process
Token: SeDebugPrivilege	1948	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeDebugPrivilege	1352	mstwain32.exe
Token: SeDebugPrivilege	1352	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mstwain32.exe

pid process

1352 mstwain32.exe
1352 mstwain32.exe

pid	process
1352	mstwain32.exe
1352	mstwain32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exee896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exemstwain32.exe

description	pid	process	target process
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1184 wrote to memory of 1948	1184	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
PID 1948 wrote to memory of 360	1948	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	mstwain32.exe
PID 1948 wrote to memory of 360	1948	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	mstwain32.exe
PID 1948 wrote to memory of 360	1948	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	mstwain32.exe
PID 1948 wrote to memory of 360	1948	e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe
PID 360 wrote to memory of 1352	360	mstwain32.exe	mstwain32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
"C:\Users\Admin\AppData\Local\Temp\e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe
"C:\Users\Admin\AppData\Local\Temp\e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe"
2⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\mstwain32.exe
"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\mstwain32.exe
"C:\Windows\mstwain32.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
632KB

MD5
06e73af160595e9fd8bbbd8148383822

SHA1
0bd1076636895974c6d3a68bb909401ad3a4af5a

SHA256
e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f

SHA512
8dd8bb15328d519cab51923ed8cad4a27ec16ad5c08c96ba9e9777effd97356fec8d262be152c331afe50690ec7574a0d8ffa2373ff6168b3291f4878e718ff9

Download Submit
C:\Windows\mstwain32.exe

Filesize
632KB

MD5
06e73af160595e9fd8bbbd8148383822

SHA1
0bd1076636895974c6d3a68bb909401ad3a4af5a

SHA256
e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f

SHA512
8dd8bb15328d519cab51923ed8cad4a27ec16ad5c08c96ba9e9777effd97356fec8d262be152c331afe50690ec7574a0d8ffa2373ff6168b3291f4878e718ff9

Download Submit
C:\Windows\mstwain32.exe

Filesize
632KB

MD5
06e73af160595e9fd8bbbd8148383822

SHA1
0bd1076636895974c6d3a68bb909401ad3a4af5a

SHA256
e896165969317e3ed1c1595d52a44cc70241b784176db485497133059562f29f

SHA512
8dd8bb15328d519cab51923ed8cad4a27ec16ad5c08c96ba9e9777effd97356fec8d262be152c331afe50690ec7574a0d8ffa2373ff6168b3291f4878e718ff9

Download Submit
memory/360-94-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/360-75-0x0000000000000000-mapping.dmp

Download
memory/1184-71-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1184-55-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1352-91-0x0000000000000000-mapping.dmp

Download
memory/1352-101-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1352-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1352-99-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1352-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-96-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-69-0x0000000000430464-mapping.dmp

Download
memory/1948-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1948-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads