modiloader | 7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

General

Target

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
Size

66KB
MD5

33952c5267ec33fb246882c00fa617e2
SHA1

87bc829c00bee0b952061cb5369887fed0123f6f
SHA256

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178
SHA512

ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58
SSDEEP

1536:V4UHxpN/MUXsLTvCj0DBXJaOVU7yiZYqWEWn4IpksYnA5S57OlyPMH:V4URpNUUX6z/DBXJf4xgEWn42QqEPW

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1688-65-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1688-69-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/568-84-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/568-85-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

cissv.execissv.exe

pid process

1352 cissv.exe
568 cissv.exe

pid	process
1352	cissv.exe
568	cissv.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1688-57-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1688-59-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1688-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1688-64-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1688-65-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1688-69-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/568-84-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/568-85-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

pid	process
1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
1688	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
1352	cissv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cissv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cissv = "C:\\Users\\Admin\\AppData\\Roaming\\cissv.exe"	cissv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

description	pid	process	target process
PID 1696 set thread context of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1352 set thread context of 568	1352	cissv.exe	cissv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

description	pid	process	target process
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1696 wrote to memory of 1688	1696	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1688 wrote to memory of 1352	1688	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 1688 wrote to memory of 1352	1688	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 1688 wrote to memory of 1352	1688	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 1688 wrote to memory of 1352	1688	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe
PID 1352 wrote to memory of 568	1352	cissv.exe	cissv.exe

C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
"C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
"C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\landlord\jerboa.r

Filesize
18KB

MD5
17afef79c37e099854e11d848d0ba13c

SHA1
5264a4faddca8c259c875bb42a9710381190ee3e

SHA256
c6466e4e9eb8ce3a9275f26ff24c7044eaf789589df9a2d0616f9f84750f1562

SHA512
99506dcb2699726a475dca209b6c1c33f0f5c06c83e4660277ffc5f665f7764c8e719a2bc601f97beaff23815d3daeb5913effe8c79cf4e9c1175422b1555835

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe

Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe

Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe

Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
\Users\Admin\AppData\Local\Temp\nso1C68.tmp\jerboa.dll

Filesize
17KB

MD5
0319cf124ea44e58c706fb56546ae941

SHA1
1fbebeacf15863cb4f1cc327bcef0f59956ed2cc

SHA256
dfc831c1cbff4664ca3c5e22834e909e263fce02c54f7f1c422fb6569dc98da0

SHA512
d1d0280a70774b51288c38b25bc4e868e0fce84ea66683fb8045572334a91f848e2e447741e5066d9620d38fdb87e9191ba0e245895a320630ad28c4e2434f54

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB49.tmp\jerboa.dll

Filesize
17KB

MD5
0319cf124ea44e58c706fb56546ae941

SHA1
1fbebeacf15863cb4f1cc327bcef0f59956ed2cc

SHA256
dfc831c1cbff4664ca3c5e22834e909e263fce02c54f7f1c422fb6569dc98da0

SHA512
d1d0280a70774b51288c38b25bc4e868e0fce84ea66683fb8045572334a91f848e2e447741e5066d9620d38fdb87e9191ba0e245895a320630ad28c4e2434f54

Download Submit
\Users\Admin\AppData\Roaming\cissv.exe

Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
memory/568-85-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/568-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/568-79-0x0000000000412D10-mapping.dmp

Download
memory/1352-67-0x0000000000000000-mapping.dmp

Download
memory/1688-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-61-0x0000000000412D10-mapping.dmp

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads