modiloader | 69babee20fca03eccf70e8344ff9480d7b1924dd9af275cbb259bcd77646cc09

General

Target

lianxuextbsq_33lc.com/lx_speed 1.5 beta1.exe
Size

2.2MB
MD5

d5fdd0a32bc734cc4abb7c39921c0051
SHA1

cca76e39f9c9e7a9dbb4544b275669e297edc522
SHA256

b3e4ec4f0233a46af22a024643deae26f6b1455b45dba5f5a3d6d59019a4b172
SHA512

e354883e69d7d538a7c37042d1b1ebf7499b987dba4d0464da492f9f9963c646689b394c069abfeaabc2ced9818511dd51e5685e29adace962c969b43f03a7cf
SSDEEP

49152:HeZ6epYyulT8r+d/PJOwKkfbPqm9QpDHfjuWULBtmQqvzUHe:HeseyvPJh9f2m9Q9HftULTmvvzUHe

Score

10^/10

modiloader trojan upx vmprotect

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1488-68-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral3/memory/1488-66-0x0000000000499F34-mapping.dmp	modiloader_stage2
behavioral3/memory/1488-65-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral3/memory/1488-71-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral3/memory/1488-72-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral3/memory/1488-73-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral3/memory/1188-74-0x0000000003490000-0x00000000035F5000-memory.dmp	modiloader_stage2
behavioral3/memory/1188-75-0x0000000003490000-0x00000000035F5000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

pid process

1112 LianXue_WPE.exe
1488 LianXue_WPE.exe

pid	process
1112	LianXue_WPE.exe
1488	LianXue_WPE.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
behavioral3/memory/1112-69-0x0000000000400000-0x0000000000565000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral3/memory/1188-55-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral3/memory/1188-57-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral3/memory/1188-58-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral3/memory/1188-76-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

lx_speed 1.5 beta1.exeLianXue_WPE.exe

pid process

1188 lx_speed 1.5 beta1.exe
1188 lx_speed 1.5 beta1.exe
1112 LianXue_WPE.exe
Drops file in System32 directory 1 IoCs

Processes:

LianXue_WPE.exe

description ioc process

File created C:\Windows\SysWOW64\2010.txt LianXue_WPE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\2010.txt	LianXue_WPE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

description	pid	process	target process
PID 1112 set thread context of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1488 set thread context of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376229881"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1038321-6D83-11ED-9FA0-5263E908E3CD} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

lx_speed 1.5 beta1.exe

pid process

1188 lx_speed 1.5 beta1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1196 IEXPLORE.EXE

pid	process
1196	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

lx_speed 1.5 beta1.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1188	lx_speed 1.5 beta1.exe
1188	lx_speed 1.5 beta1.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

lx_speed 1.5 beta1.exeLianXue_WPE.exeLianXue_WPE.exeIEXPLORE.EXE

description	pid	process	target process
PID 1188 wrote to memory of 1112	1188	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 1188 wrote to memory of 1112	1188	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 1188 wrote to memory of 1112	1188	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 1188 wrote to memory of 1112	1188	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1112 wrote to memory of 1488	1112	LianXue_WPE.exe	LianXue_WPE.exe
PID 1488 wrote to memory of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1196	1488	LianXue_WPE.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 1680	1196	IEXPLORE.EXE	IEXPLORE.EXE
PID 1196 wrote to memory of 1680	1196	IEXPLORE.EXE	IEXPLORE.EXE
PID 1196 wrote to memory of 1680	1196	IEXPLORE.EXE	IEXPLORE.EXE
PID 1196 wrote to memory of 1680	1196	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\lianxuextbsq_33lc.com\lx_speed 1.5 beta1.exe
"C:\Users\Admin\AppData\Local\Temp\lianxuextbsq_33lc.com\lx_speed 1.5 beta1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V5SYOYQV.txt

Filesize
601B

MD5
8d4351c6a001619eea2243aef8161184

SHA1
fb4d1d3de841a86b10769001e80f7a2c1f5b9564

SHA256
6fba60533d6ab11732792eab7c4576489ec706b954fbdd0de14306d0d30d82a4

SHA512
62f22216036e2f7fde2e5f4aec52a83d26c4d2e429af7f8a4e43ebe0331027819db1045e8e10baa98ef75d93d158d4b12240303dd1ad4fac9dd0e1544b662aad

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
memory/1112-69-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1112-61-0x0000000000000000-mapping.dmp

Download
memory/1188-74-0x0000000003490000-0x00000000035F5000-memory.dmp

Filesize
1.4MB

Download
memory/1188-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1188-58-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1188-55-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1188-78-0x0000000003490000-0x00000000035F5000-memory.dmp

Filesize
1.4MB

Download
memory/1188-57-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1188-77-0x0000000003490000-0x00000000035F5000-memory.dmp

Filesize
1.4MB

Download
memory/1188-76-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/1188-75-0x0000000003490000-0x00000000035F5000-memory.dmp

Filesize
1.4MB

Download
memory/1488-65-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-73-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-72-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-68-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-66-0x0000000000499F34-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads