modiloader | 90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437

Analysis

max time kernel
62s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe
Size

5.1MB
MD5

0a87095e2b0129902b094d3e144e6deb
SHA1

5f400b46f2876c92dcd7ce05ff2699946ce114bc
SHA256

90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437
SHA512

2316f53ecb3556c374c594525a75720a7adaa59889715631667e93105264ab30e5dd5b615eb3daaa33831c11476d4161145918d51067c115f221d5248ce756bd
SSDEEP

98304:ouzeozbcNTNmwFRcXZhITW5ucNF61j7+W4cacDXu5ZYNuPjqc897tgtzlwwirkx:otozbozFq0S5Xw1/BscpCj94Gzlwxg

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1252-56-0x0000000000400000-0x0000000000951000-memory.dmp	modiloader_stage2
behavioral1/memory/1252-71-0x0000000000400000-0x0000000000951000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

java_3.exejava.exejava.exejavatrig.exe

pid process

1000 java_3.exe
524 java.exe
1992 java.exe
1548 javatrig.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

280 netsh.exe

pid	process
1000	java_3.exe
524	java.exe
1992	java.exe
1548	javatrig.exe

pid	process
280	netsh.exe

Drops startup file 2 IoCs

Processes:

java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe	java.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe	java.exe

Loads dropped DLL 8 IoCs

Processes:

90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exejava_3.exejava.exe

pid	process
1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe
1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe
1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe
1000	java_3.exe
1000	java_3.exe
1000	java_3.exe
524	java.exe
1000	java_3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java_3.exejava.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	java_3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	java_3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .."	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .."	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

java.exe

pid process

1992 java.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

java.exe

description pid process

Token: SeDebugPrivilege 1992 java.exe

pid	process
1992	java.exe

description	pid	process
Token: SeDebugPrivilege	1992	java.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exejava.exejava_3.exejavatrig.exejava.exe

description	pid	process	target process
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 1000	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java_3.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 1252 wrote to memory of 524	1252	90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 524 wrote to memory of 1992	524	java.exe	java.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1000 wrote to memory of 1548	1000	java_3.exe	javatrig.exe
PID 1548 wrote to memory of 900	1548	javatrig.exe	pcaui.exe
PID 1548 wrote to memory of 900	1548	javatrig.exe	pcaui.exe
PID 1548 wrote to memory of 900	1548	javatrig.exe	pcaui.exe
PID 1548 wrote to memory of 900	1548	javatrig.exe	pcaui.exe
PID 1992 wrote to memory of 280	1992	java.exe	netsh.exe
PID 1992 wrote to memory of 280	1992	java.exe	netsh.exe
PID 1992 wrote to memory of 280	1992	java.exe	netsh.exe
PID 1992 wrote to memory of 280	1992	java.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe
"C:\Users\Admin\AppData\Local\Temp\90f7f6ef0952e478b5281735f87a7e0116c2f620d0b45c6bd6230231d8ea1437.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\java_3.exe
  "C:\Users\Admin\AppData\Local\Temp\java_3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe /l /exe_install /vercheck /wxret
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\System32\pcaui.exe
      "C:\Windows\System32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {65fc8e85-fff3-4ca6-a346-5ab7dece50bf} /a "Microsoft JVM" /v "Microsoft" /s "Microsoft JVM is not supported on this version of Windows. For more information, contact Microsoft." /b 1 /e "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe"
      4⤵
      PID:900
- C:\Users\Admin\AppData\Local\Temp\java.exe
  "C:\Users\Admin\AppData\Local\Temp\java.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Roaming\java.exe
    "C:\Users\Admin\AppData\Roaming\java.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\java.exe" "java.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe

Filesize
1021KB

MD5
1b19973594544ae5692962d9bd07dbdf

SHA1
a6028f646455fb5ab8194eb14b443cef95ffb198

SHA256
857c08bd93f7ce5b10d66d5b51484e6cba7f826c4f94947f060ae67137145e4b

SHA512
078f6643c18f6eff89d4a403b17019f085850b9020645a2e0ee1e39dae13a4e71fe8960bd52344f77d97b62724d2ee25efae5ad55ff07ef36c4f275d2361a1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe

Filesize
1021KB

MD5
1b19973594544ae5692962d9bd07dbdf

SHA1
a6028f646455fb5ab8194eb14b443cef95ffb198

SHA256
857c08bd93f7ce5b10d66d5b51484e6cba7f826c4f94947f060ae67137145e4b

SHA512
078f6643c18f6eff89d4a403b17019f085850b9020645a2e0ee1e39dae13a4e71fe8960bd52344f77d97b62724d2ee25efae5ad55ff07ef36c4f275d2361a1b3

Download Submit
\Users\Admin\AppData\Local\Temp\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
\Users\Admin\AppData\Local\Temp\java_3.exe

Filesize
5.2MB

MD5
72d0cc290999dd3dd97133ad9015afd6

SHA1
22351d2abe52d85898873ad6ab2f331f031b9d5e

SHA256
03e38318fa34ad2aeff00517ae6d72e05588509e1c549d9147029483d08cf2b5

SHA512
9496f901c541edaceb804d45af1e588160ca7a426f5cd35b040bdab8439ba18cb080ec86c6c547e1dc2744caf6bc24bc2cea07b0020b33aee3e36a36d48306a1

Download Submit
\Users\Admin\AppData\Roaming\java.exe

Filesize
44KB

MD5
d88a20e63476ebb9b7cb89d9ff51d693

SHA1
019e06220be407228a0d4f56b133ead821c05fd1

SHA256
9d1447c3b5d327598f5fac4dcd1d1fd9eb41aecbd3e9675a41eee52d226c00bf

SHA512
bb33d17d6b20b6f8be75f30a8ffe128dacea04df7821005cc0e6dd69ad1f94a664fccccf681a52696f0ddccfb2e21f6d7faa5d2d951b39d32621d199a8508208

Download Submit
memory/280-89-0x0000000000000000-mapping.dmp

Download
memory/524-86-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/524-67-0x0000000000000000-mapping.dmp

Download
memory/524-78-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/524-77-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/900-88-0x0000000000000000-mapping.dmp

Download
memory/1000-63-0x0000000000000000-mapping.dmp

Download
memory/1252-71-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1252-56-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1252-54-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1252-57-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1252-55-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1252-72-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1252-60-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/1252-58-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1252-59-0x00000000022B1000-0x00000000022B5000-memory.dmp

Filesize
16KB

Download
memory/1548-85-0x0000000000000000-mapping.dmp

Download
memory/1992-80-0x0000000000000000-mapping.dmp

Download
memory/1992-90-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-92-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download