modiloader | b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7

Analysis

max time kernel
189s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe
Size

6.3MB
MD5

7f66b63ae030d04a43178df57bb78b1a
SHA1

8605715d8de48241315ec8fcfb91a8380f6776c1
SHA256

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7
SHA512

4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46
SSDEEP

98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5

Score

10^/10

modiloader xtremerat persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

remotedesktop11.no-ip.info

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3860-143-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3140-144-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3860-145-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3140-147-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3860-152-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3080-150-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/2348-156-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 7 IoCs

Processes:

57275.exe31273.exe43832.exeAdobeART.exe85842.exewinlog.exeIDM1.tmp

pid process

3080 57275.exe
3028 31273.exe
3140 43832.exe
2348 AdobeART.exe
3012 85842.exe
2568 winlog.exe
4820 IDM1.tmp

pid	process
3080	57275.exe
3028	31273.exe
3140	43832.exe
2348	AdobeART.exe
3012	85842.exe
2568	winlog.exe
4820	IDM1.tmp

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\57275.exe	upx
C:\Users\Admin\AppData\Local\Temp\57275.exe	upx
behavioral2/memory/3080-136-0x0000000000400000-0x0000000000414000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\43832.exe	upx
C:\Users\Admin\AppData\Local\Temp\43832.exe	upx
behavioral2/memory/3140-144-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3860-145-0x0000000010000000-0x000000001004D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\AdobeART.exe	upx
C:\Users\Admin\AppData\Roaming\AdobeART.exe	upx
behavioral2/memory/3140-147-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3080-150-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3860-152-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2348-156-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31273.exeb2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe57275.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	31273.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	57275.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AdobeART.exewinlog.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winlog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe"	winlog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4564 3860 WerFault.exe svchost.exe
444 3860 WerFault.exe svchost.exe
Modifies registry class 1 IoCs

Processes:

31273.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 31273.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

description pid process

Token: SeDebugPrivilege 1476 b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

pid	pid_target	process	target process
4564	3860	WerFault.exe	svchost.exe
444	3860	WerFault.exe	svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	31273.exe

description	pid	process
Token: SeDebugPrivilege	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe43832.exe57275.exe31273.exe85842.exe

description	pid	process	target process
PID 1476 wrote to memory of 3080	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	57275.exe
PID 1476 wrote to memory of 3080	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	57275.exe
PID 1476 wrote to memory of 3080	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	57275.exe
PID 1476 wrote to memory of 3028	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	31273.exe
PID 1476 wrote to memory of 3028	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	31273.exe
PID 1476 wrote to memory of 3028	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	31273.exe
PID 1476 wrote to memory of 3140	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	43832.exe
PID 1476 wrote to memory of 3140	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	43832.exe
PID 1476 wrote to memory of 3140	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	43832.exe
PID 3140 wrote to memory of 3860	3140	43832.exe	svchost.exe
PID 3140 wrote to memory of 3860	3140	43832.exe	svchost.exe
PID 3140 wrote to memory of 3860	3140	43832.exe	svchost.exe
PID 3140 wrote to memory of 3860	3140	43832.exe	svchost.exe
PID 3140 wrote to memory of 4896	3140	43832.exe	msedge.exe
PID 3140 wrote to memory of 4896	3140	43832.exe	msedge.exe
PID 3080 wrote to memory of 2348	3080	57275.exe	AdobeART.exe
PID 3080 wrote to memory of 2348	3080	57275.exe	AdobeART.exe
PID 3080 wrote to memory of 2348	3080	57275.exe	AdobeART.exe
PID 3140 wrote to memory of 4896	3140	43832.exe	msedge.exe
PID 1476 wrote to memory of 3012	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	85842.exe
PID 1476 wrote to memory of 3012	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	85842.exe
PID 1476 wrote to memory of 3012	1476	b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe	85842.exe
PID 3028 wrote to memory of 2568	3028	31273.exe	winlog.exe
PID 3028 wrote to memory of 2568	3028	31273.exe	winlog.exe
PID 3028 wrote to memory of 2568	3028	31273.exe	winlog.exe
PID 3012 wrote to memory of 4820	3012	85842.exe	IDM1.tmp
PID 3012 wrote to memory of 4820	3012	85842.exe	IDM1.tmp
PID 3012 wrote to memory of 4820	3012	85842.exe	IDM1.tmp

C:\Users\Admin\AppData\Local\Temp\b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe
"C:\Users\Admin\AppData\Local\Temp\b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\57275.exe
"C:\Users\Admin\AppData\Local\Temp\57275.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2348

C:\Users\Admin\AppData\Local\Temp\31273.exe
"C:\Users\Admin\AppData\Local\Temp\31273.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2568

C:\Users\Admin\AppData\Local\Temp\43832.exe
"C:\Users\Admin\AppData\Local\Temp\43832.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 480
4⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 468
4⤵
- Program crash
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\85842.exe
"C:\Users\Admin\AppData\Local\Temp\85842.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
3⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3860 -ip 3860
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3860 -ip 3860
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31273.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31273.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\43832.exe
Filesize
33KB

MD5
e131dc8199e0dbe6a6eeec0766843ed5

SHA1
0da7ff2a654a45a54fcaa6018faebe05e13c2648

SHA256
243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316

SHA512
c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\43832.exe
Filesize
33KB

MD5
e131dc8199e0dbe6a6eeec0766843ed5

SHA1
0da7ff2a654a45a54fcaa6018faebe05e13c2648

SHA256
243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316

SHA512
c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\57275.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\57275.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\85842.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\85842.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
Filesize
175KB

MD5
95dc303033dc07fe499f50e5fb4dc167

SHA1
99359db6ecf799eaa96aa68657636cee8e3f162c

SHA256
9f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9

SHA512
d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
memory/1476-132-0x000000001BAF0000-0x000000001C526000-memory.dmp

Filesize
10.2MB

Download
memory/2348-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-146-0x0000000000000000-mapping.dmp

Download
memory/2568-157-0x0000000000000000-mapping.dmp

Download
memory/3012-155-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3012-151-0x0000000000000000-mapping.dmp

Download
memory/3012-162-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3028-137-0x0000000000000000-mapping.dmp

Download
memory/3080-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3080-133-0x0000000000000000-mapping.dmp

Download
memory/3080-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3140-144-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3140-140-0x0000000000000000-mapping.dmp

Download
memory/3140-147-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3860-145-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3860-143-0x0000000000000000-mapping.dmp

Download
memory/3860-152-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4820-160-0x0000000000000000-mapping.dmp

Download
memory/4820-163-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4820-164-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download