modiloader | 07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6

General

Target

07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe
Size

68KB
MD5

03039af402b17dea32b9ff0477f167fe
SHA1

09f75a3189e64bc91c5df9780c0486b80776b616
SHA256

07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6
SHA512

dd3f8c19c555e8cbcfe88233d809ec5176ba2fb1daa8c1fd9fec0aab56a7e7067015e7688f421575748f9aa3f7f3329345fb29a45cf70fc2f83933f71fcc2908
SSDEEP

1536:VYNiejDbYn+vrCpvRcrJNUSz33MagCXQbgH1cntQJYBBnouy8+:OxbYn+vrWW3UE33dXQbgHynuJ2hout+

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

apocalyps32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe,C:\\Windows\\apocalyps32.exe"	apocalyps32.exe

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-59-0x0000000030000000-0x0000000030036000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-61-0x0000000030000000-0x0000000030036000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-63-0x0000000030000000-0x0000000030036000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

apocalyps32.exe

pid process

1692 apocalyps32.exe

pid	process
1692	apocalyps32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

apocalyps32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apocalyps32 = "C:\\Windows\\apocalyps32.exe"	apocalyps32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	apocalyps32.exe

Drops file in Windows directory 2 IoCs

Processes:

07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe

description	ioc	process
File created	C:\Windows\apocalyps32.exe	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe
File opened for modification	C:\Windows\apocalyps32.exe	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

apocalyps32.exe

pid process

1692 apocalyps32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

apocalyps32.exe

pid process

1692 apocalyps32.exe

pid	process
1692	apocalyps32.exe

pid	process
1692	apocalyps32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exeapocalyps32.exe

description	pid	process	target process
PID 1948 wrote to memory of 1692	1948	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe	apocalyps32.exe
PID 1948 wrote to memory of 1692	1948	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe	apocalyps32.exe
PID 1948 wrote to memory of 1692	1948	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe	apocalyps32.exe
PID 1948 wrote to memory of 1692	1948	07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe	apocalyps32.exe
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE
PID 1692 wrote to memory of 1228	1692	apocalyps32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe
"C:\Users\Admin\AppData\Local\Temp\07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\apocalyps32.exe
-bs
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
68KB

MD5
03039af402b17dea32b9ff0477f167fe

SHA1
09f75a3189e64bc91c5df9780c0486b80776b616

SHA256
07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6

SHA512
dd3f8c19c555e8cbcfe88233d809ec5176ba2fb1daa8c1fd9fec0aab56a7e7067015e7688f421575748f9aa3f7f3329345fb29a45cf70fc2f83933f71fcc2908

Download Submit
C:\Windows\apocalyps32.exe

Filesize
68KB

MD5
03039af402b17dea32b9ff0477f167fe

SHA1
09f75a3189e64bc91c5df9780c0486b80776b616

SHA256
07eff1726003e00b7557efed2fdf38c057234ce42761d06c7a066e2183dc7fb6

SHA512
dd3f8c19c555e8cbcfe88233d809ec5176ba2fb1daa8c1fd9fec0aab56a7e7067015e7688f421575748f9aa3f7f3329345fb29a45cf70fc2f83933f71fcc2908

Download Submit
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/1692-61-0x0000000030000000-0x0000000030036000-memory.dmp

Filesize
216KB

Download
memory/1692-63-0x0000000030000000-0x0000000030036000-memory.dmp

Filesize
216KB

Download
memory/1948-54-0x0000000030000000-0x0000000030036000-memory.dmp

Filesize
216KB

Download
memory/1948-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/1948-59-0x0000000030000000-0x0000000030036000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads