modiloader | 7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

General

Target

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
Size

66KB
MD5

33952c5267ec33fb246882c00fa617e2
SHA1

87bc829c00bee0b952061cb5369887fed0123f6f
SHA256

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178
SHA512

ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58
SSDEEP

1536:V4UHxpN/MUXsLTvCj0DBXJaOVU7yiZYqWEWn4IpksYnA5S57OlyPMH:V4URpNUUX6z/DBXJf4xgEWn42QqEPW

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4568-137-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4568-138-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-150-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-151-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

cissv.execissv.exe

pid process

3680 cissv.exe
4512 cissv.exe

pid	process
3680	cissv.exe
4512	cissv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4568-134-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4568-136-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4568-137-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4568-138-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4512-150-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4512-151-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe

Loads dropped DLL 2 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

pid process

1632 7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
3680 cissv.exe

pid	process
1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
3680	cissv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cissv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cissv = "C:\\Users\\Admin\\AppData\\Roaming\\cissv.exe"	cissv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

description	pid	process	target process
PID 1632 set thread context of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 3680 set thread context of 4512	3680	cissv.exe	cissv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.execissv.exe

description	pid	process	target process
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 1632 wrote to memory of 4568	1632	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
PID 4568 wrote to memory of 3680	4568	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 4568 wrote to memory of 3680	4568	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 4568 wrote to memory of 3680	4568	7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe
PID 3680 wrote to memory of 4512	3680	cissv.exe	cissv.exe

C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
"C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe
"C:\Users\Admin\AppData\Local\Temp\7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\landlord\jerboa.r
Filesize
18KB

MD5
17afef79c37e099854e11d848d0ba13c

SHA1
5264a4faddca8c259c875bb42a9710381190ee3e

SHA256
c6466e4e9eb8ce3a9275f26ff24c7044eaf789589df9a2d0616f9f84750f1562

SHA512
99506dcb2699726a475dca209b6c1c33f0f5c06c83e4660277ffc5f665f7764c8e719a2bc601f97beaff23815d3daeb5913effe8c79cf4e9c1175422b1555835

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE.tmp\jerboa.dll
Filesize
17KB

MD5
0319cf124ea44e58c706fb56546ae941

SHA1
1fbebeacf15863cb4f1cc327bcef0f59956ed2cc

SHA256
dfc831c1cbff4664ca3c5e22834e909e263fce02c54f7f1c422fb6569dc98da0

SHA512
d1d0280a70774b51288c38b25bc4e868e0fce84ea66683fb8045572334a91f848e2e447741e5066d9620d38fdb87e9191ba0e245895a320630ad28c4e2434f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu3809.tmp\jerboa.dll
Filesize
17KB

MD5
0319cf124ea44e58c706fb56546ae941

SHA1
1fbebeacf15863cb4f1cc327bcef0f59956ed2cc

SHA256
dfc831c1cbff4664ca3c5e22834e909e263fce02c54f7f1c422fb6569dc98da0

SHA512
d1d0280a70774b51288c38b25bc4e868e0fce84ea66683fb8045572334a91f848e2e447741e5066d9620d38fdb87e9191ba0e245895a320630ad28c4e2434f54

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
66KB

MD5
33952c5267ec33fb246882c00fa617e2

SHA1
87bc829c00bee0b952061cb5369887fed0123f6f

SHA256
7f86840e0d4c2e6ad1d817ea9bcc5da6472a5124c49bc44fa1297abce2096178

SHA512
ca2cc7740f86627cfa2e0a0eaa8eb994f4e4bd167c672b08f50f8016565b1960a8a54f189fc3503cc5441926960dde1a240a15cb7a3eed76971c328faead9a58

Download Submit
memory/3680-139-0x0000000000000000-mapping.dmp

Download
memory/4512-144-0x0000000000000000-mapping.dmp

Download
memory/4512-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4512-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4568-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads