modiloader | c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

General

Target

c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
Size

83KB
MD5

5b23b21551bdcb29c5d1614c4c20e854
SHA1

fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256

c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512

f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
SSDEEP

1536:h4UHxpN/MUXsLTvCj0DBXJaO3mddWa144+Wa4OvQ5mTGgoGsXxRFzOn5e:h4URpNUUX6z/DBXJf34dWiqvQ5mTFoGQ

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

cissv.execissv.exe

pid process

624 cissv.exe
1644 cissv.exe

pid	process
624	cissv.exe
1644	cissv.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2008-57-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1644-84-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exec619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exe

pid	process
1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
624	cissv.exe
624	cissv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cissv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cissv = "C:\\Users\\Admin\\AppData\\Roaming\\cissv.exe"	cissv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exe

description	pid	process	target process
PID 1648 set thread context of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 624 set thread context of 1644	624	cissv.exe	cissv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\cissv.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exec619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exe

description	pid	process	target process
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 1648 wrote to memory of 2008	1648	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 2008 wrote to memory of 624	2008	c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe
PID 624 wrote to memory of 1644	624	cissv.exe	cissv.exe

C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
"C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
"C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\cissv.exe
"C:\Users\Admin\AppData\Roaming\cissv.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\origination\archon.lj
Filesize
18KB

MD5
8f6801e7740d10e011d7dd557f3611c4

SHA1
1717f6ba597b6507faf1c2c291a5f774afb0d3c9

SHA256
3b525b5569d22039202171d1846370fed6a957f30bdf64722106b5f6975aad89

SHA512
e64b1b39aa01fd434620ea4c9b877944cc9de9732ab2c0201ade806ba2401673a325bbd5335fb778d1855262daf8f3ca0b5852a8688bc34694cab006b2fd7a41

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
83KB

MD5
5b23b21551bdcb29c5d1614c4c20e854

SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e

SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
83KB

MD5
5b23b21551bdcb29c5d1614c4c20e854

SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e

SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992

Download Submit
C:\Users\Admin\AppData\Roaming\cissv.exe
Filesize
83KB

MD5
5b23b21551bdcb29c5d1614c4c20e854

SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e

SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1602.tmp\archon.dll
Filesize
34KB

MD5
10692017651aaf01881c7a31a9ef5515

SHA1
b7f78dc3a3a81e646ad92fa7a2ef5fe675d9d9e1

SHA256
0fd14e6c5962242d15fba61bd0e1e8d7ce754ea6dd8c56c51719c10830f3902f

SHA512
c4bf7a408b1436b435519b7601e3f063b5f8599c86e536bcca9be4fdb4ef1ba588cedd151121ad3e2a8ef9f8b39a61c8fa373405aa55dfd013c02b77ccc5ba4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE07.tmp\archon.dll
Filesize
34KB

MD5
10692017651aaf01881c7a31a9ef5515

SHA1
b7f78dc3a3a81e646ad92fa7a2ef5fe675d9d9e1

SHA256
0fd14e6c5962242d15fba61bd0e1e8d7ce754ea6dd8c56c51719c10830f3902f

SHA512
c4bf7a408b1436b435519b7601e3f063b5f8599c86e536bcca9be4fdb4ef1ba588cedd151121ad3e2a8ef9f8b39a61c8fa373405aa55dfd013c02b77ccc5ba4b

Download Submit
\Users\Admin\AppData\Roaming\cissv.exe
Filesize
83KB

MD5
5b23b21551bdcb29c5d1614c4c20e854

SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e

SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992

Download Submit
\Users\Admin\AppData\Roaming\cissv.exe
Filesize
83KB

MD5
5b23b21551bdcb29c5d1614c4c20e854

SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e

SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952

SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992

Download Submit
memory/624-67-0x0000000000000000-mapping.dmp

Download
memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-80-0x0000000000412D10-mapping.dmp

Download
memory/1644-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2008-61-0x0000000000412D10-mapping.dmp

Download
memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads