modiloader | b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7

Analysis

max time kernel
151s
max time network
87s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe
Size

6.3MB
MD5

7f66b63ae030d04a43178df57bb78b1a
SHA1

8605715d8de48241315ec8fcfb91a8380f6776c1
SHA256

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7
SHA512

4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46
SSDEEP

98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-73-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/1960-76-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 7 IoCs

Processes:

79773.exe25841.exe84350.exeAdobeART.exe96909.exewinlog.exeIDM1.tmp

pid process

624 79773.exe
1172 25841.exe
1560 84350.exe
1960 AdobeART.exe
932 96909.exe
1768 winlog.exe
764 IDM1.tmp

pid	process
624	79773.exe
1172	25841.exe
1560	84350.exe
1960	AdobeART.exe
932	96909.exe
1768	winlog.exe
764	IDM1.tmp

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\79773.exe	upx
behavioral1/memory/624-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\79773.exe	upx
C:\Users\Admin\AppData\Local\Temp\84350.exe	upx
\Users\Admin\AppData\Roaming\AdobeART.exe	upx
\Users\Admin\AppData\Roaming\AdobeART.exe	upx
C:\Users\Admin\AppData\Roaming\AdobeART.exe	upx
behavioral1/memory/624-73-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1560-77-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1960-76-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

79773.exe25841.exe96909.exe

pid process

624 79773.exe
624 79773.exe
1172 25841.exe
1172 25841.exe
1172 25841.exe
932 96909.exe

pid	process
624	79773.exe
624	79773.exe
1172	25841.exe
1172	25841.exe
1172	25841.exe
932	96909.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AdobeART.exewinlog.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winlog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe"	winlog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

description pid process

Token: SeDebugPrivilege 1352 b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

description	pid	process
Token: SeDebugPrivilege	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe79773.exe25841.exe96909.exe

description	pid	process	target process
PID 1352 wrote to memory of 624	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	79773.exe
PID 1352 wrote to memory of 624	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	79773.exe
PID 1352 wrote to memory of 624	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	79773.exe
PID 1352 wrote to memory of 624	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	79773.exe
PID 1352 wrote to memory of 1172	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	25841.exe
PID 1352 wrote to memory of 1172	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	25841.exe
PID 1352 wrote to memory of 1172	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	25841.exe
PID 1352 wrote to memory of 1172	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	25841.exe
PID 1352 wrote to memory of 1560	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	84350.exe
PID 1352 wrote to memory of 1560	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	84350.exe
PID 1352 wrote to memory of 1560	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	84350.exe
PID 1352 wrote to memory of 1560	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	84350.exe
PID 624 wrote to memory of 1960	624	79773.exe	AdobeART.exe
PID 624 wrote to memory of 1960	624	79773.exe	AdobeART.exe
PID 624 wrote to memory of 1960	624	79773.exe	AdobeART.exe
PID 624 wrote to memory of 1960	624	79773.exe	AdobeART.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1352 wrote to memory of 932	1352	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	96909.exe
PID 1172 wrote to memory of 1768	1172	25841.exe	winlog.exe
PID 1172 wrote to memory of 1768	1172	25841.exe	winlog.exe
PID 1172 wrote to memory of 1768	1172	25841.exe	winlog.exe
PID 1172 wrote to memory of 1768	1172	25841.exe	winlog.exe
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp
PID 932 wrote to memory of 764	932	96909.exe	IDM1.tmp

C:\Users\Admin\AppData\Local\Temp\b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe
"C:\Users\Admin\AppData\Local\Temp\b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\79773.exe
"C:\Users\Admin\AppData\Local\Temp\79773.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1960

C:\Users\Admin\AppData\Local\Temp\25841.exe
"C:\Users\Admin\AppData\Local\Temp\25841.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1768

C:\Users\Admin\AppData\Local\Temp\84350.exe
"C:\Users\Admin\AppData\Local\Temp\84350.exe"
2⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\96909.exe
"C:\Users\Admin\AppData\Local\Temp\96909.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
3⤵
- Executes dropped EXE
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25841.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\25841.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\79773.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\79773.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\84350.exe
Filesize
33KB

MD5
e131dc8199e0dbe6a6eeec0766843ed5

SHA1
0da7ff2a654a45a54fcaa6018faebe05e13c2648

SHA256
243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316

SHA512
c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\96909.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\96909.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
Filesize
175KB

MD5
95dc303033dc07fe499f50e5fb4dc167

SHA1
99359db6ecf799eaa96aa68657636cee8e3f162c

SHA256
9f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9

SHA512
d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Local\Temp\25841.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
Filesize
175KB

MD5
95dc303033dc07fe499f50e5fb4dc167

SHA1
99359db6ecf799eaa96aa68657636cee8e3f162c

SHA256
9f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9

SHA512
d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
memory/624-58-0x0000000000000000-mapping.dmp

Download
memory/624-61-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/624-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/624-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/764-89-0x0000000000000000-mapping.dmp

Download
memory/764-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/932-91-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/932-78-0x0000000000000000-mapping.dmp

Download
memory/932-92-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1352-56-0x0000000001F56000-0x0000000001F75000-memory.dmp

Filesize
124KB

Download
memory/1352-54-0x000007FEF4150000-0x000007FEF4B73000-memory.dmp

Filesize
10.1MB

Download
memory/1352-81-0x0000000001F56000-0x0000000001F75000-memory.dmp

Filesize
124KB

Download
memory/1352-57-0x0000000001F56000-0x0000000001F75000-memory.dmp

Filesize
124KB

Download
memory/1352-55-0x000007FEF2E70000-0x000007FEF3F06000-memory.dmp

Filesize
16.6MB

Download
memory/1560-67-0x0000000000000000-mapping.dmp

Download
memory/1560-77-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-86-0x0000000000000000-mapping.dmp

Download
memory/1960-72-0x0000000000000000-mapping.dmp

Download
memory/1960-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download