modiloader | 69babee20fca03eccf70e8344ff9480d7b1924dd9af275cbb259bcd77646cc09

General

Target

lianxuextbsq_33lc.com/lx_speed 1.5 beta1.exe
Size

2.2MB
MD5

d5fdd0a32bc734cc4abb7c39921c0051
SHA1

cca76e39f9c9e7a9dbb4544b275669e297edc522
SHA256

b3e4ec4f0233a46af22a024643deae26f6b1455b45dba5f5a3d6d59019a4b172
SHA512

e354883e69d7d538a7c37042d1b1ebf7499b987dba4d0464da492f9f9963c646689b394c069abfeaabc2ced9818511dd51e5685e29adace962c969b43f03a7cf
SSDEEP

49152:HeZ6epYyulT8r+d/PJOwKkfbPqm9QpDHfjuWULBtmQqvzUHe:HeseyvPJh9f2m9Q9HftULTmvvzUHe

Score

10^/10

modiloader trojan upx vmprotect

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4220-140-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral4/memory/4220-142-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral4/memory/4220-144-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral4/memory/4220-145-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral4/memory/4220-146-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

pid process

888 LianXue_WPE.exe
4220 LianXue_WPE.exe

pid	process
888	LianXue_WPE.exe
4220	LianXue_WPE.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
behavioral4/memory/888-143-0x0000000000400000-0x0000000000565000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral4/memory/2920-132-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral4/memory/2920-133-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral4/memory/2920-135-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral4/memory/2920-147-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

Processes:

LianXue_WPE.exe

description ioc process

File created C:\Windows\SysWOW64\2010.txt LianXue_WPE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\2010.txt	LianXue_WPE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

description	pid	process	target process
PID 888 set thread context of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 4220 set thread context of 544	4220	LianXue_WPE.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DE276380-6D83-11ED-B696-7ED4F7B3352B} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3085218051"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998928"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376229848"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3085218051"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998928"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lx_speed 1.5 beta1.exe

pid process

2920 lx_speed 1.5 beta1.exe
2920 lx_speed 1.5 beta1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

544 IEXPLORE.EXE

pid	process
544	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

lx_speed 1.5 beta1.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2920	lx_speed 1.5 beta1.exe
2920	lx_speed 1.5 beta1.exe
544	IEXPLORE.EXE
544	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

lx_speed 1.5 beta1.exeLianXue_WPE.exeLianXue_WPE.exeIEXPLORE.EXE

description	pid	process	target process
PID 2920 wrote to memory of 888	2920	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 2920 wrote to memory of 888	2920	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 2920 wrote to memory of 888	2920	lx_speed 1.5 beta1.exe	LianXue_WPE.exe
PID 888 wrote to memory of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 888 wrote to memory of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 888 wrote to memory of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 888 wrote to memory of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 888 wrote to memory of 4220	888	LianXue_WPE.exe	LianXue_WPE.exe
PID 4220 wrote to memory of 544	4220	LianXue_WPE.exe	IEXPLORE.EXE
PID 4220 wrote to memory of 544	4220	LianXue_WPE.exe	IEXPLORE.EXE
PID 4220 wrote to memory of 544	4220	LianXue_WPE.exe	IEXPLORE.EXE
PID 544 wrote to memory of 3940	544	IEXPLORE.EXE	IEXPLORE.EXE
PID 544 wrote to memory of 3940	544	IEXPLORE.EXE	IEXPLORE.EXE
PID 544 wrote to memory of 3940	544	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\lianxuextbsq_33lc.com\lx_speed 1.5 beta1.exe
"C:\Users\Admin\AppData\Local\Temp\lianxuextbsq_33lc.com\lx_speed 1.5 beta1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4220

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
memory/888-143-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/888-136-0x0000000000000000-mapping.dmp

Download
memory/2920-135-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2920-133-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2920-132-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2920-147-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/4220-139-0x0000000000000000-mapping.dmp

Download
memory/4220-140-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4220-142-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4220-144-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4220-145-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4220-146-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads