modiloader | 11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3

General

Target

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
Size

262KB
MD5

c0dc5f2788fd095f1a6b3a059ef14e6b
SHA1

eaa429ee7b7d5caca8f824882e5d8e1c952dfd5a
SHA256

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3
SHA512

3e03358418cc8a423c4e9d81fbd9d6ba377e5b18067b76d0e713ae9769b525cd60e10d7f4003415c7c1ee0f3e22dc433392b02bb7d62d9cf0cbc44f1ab09ac69
SSDEEP

6144:FnG58+jlN3XfqPUHdpLQ5ohF+HhzVTk2Fvbm7zOtO4gpLn3:FA8+jXnwUH/Qomhp0qU4g1

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	svchost.exe

ModiLoader Second Stage 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4828-132-0x0000000000400000-0x0000000000446000-memory.dmp	modiloader_stage2
behavioral2/memory/4828-135-0x0000000000400000-0x0000000000446000-memory.dmp	modiloader_stage2
behavioral2/memory/3836-139-0x0000000000800000-0x00000000008CE000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-141-0x00000000008F0000-0x00000000009BE000-memory.dmp	modiloader_stage2
behavioral2/memory/4128-144-0x00000000014A0000-0x000000000156E000-memory.dmp	modiloader_stage2
behavioral2/memory/3836-145-0x0000000000800000-0x00000000008CE000-memory.dmp	modiloader_stage2
behavioral2/memory/4436-146-0x00000000008F0000-0x00000000009BE000-memory.dmp	modiloader_stage2
behavioral2/memory/4128-147-0x00000000014A0000-0x000000000156E000-memory.dmp	modiloader_stage2
behavioral2/memory/116-150-0x0000000001000000-0x00000000010CE000-memory.dmp	modiloader_stage2
behavioral2/memory/116-152-0x0000000001000000-0x00000000010CE000-memory.dmp	modiloader_stage2
behavioral2/memory/116-154-0x0000000001000000-0x00000000010CE000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{1df931d8-7338-1252-17ec-6d45540df9d0} = "\"C:\\ProgramData\\Microsoft\\{1df931d8-7338-1252-17ec-6d45540df9d0}\\{1df931d8-7338-1252-17ec-6d45540df9d0}.exe\""	svchost.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{1df931d8-7338-1252-17ec-6d45540df9d0} = "\"C:\\ProgramData\\Microsoft\\{1df931d8-7338-1252-17ec-6d45540df9d0}\\{1df931d8-7338-1252-17ec-6d45540df9d0}.exe\""	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\svchost.exe = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exesvchost.exe

pid	process
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exesvchost.exe

pid	process
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe
3836	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exesvchost.exe

description	pid	process	target process
PID 4828 wrote to memory of 3836	4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe	svchost.exe
PID 4828 wrote to memory of 3836	4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe	svchost.exe
PID 4828 wrote to memory of 3836	4828	11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe	svchost.exe
PID 3836 wrote to memory of 4436	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4436	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4436	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4128	3836	svchost.exe	explorer.exe
PID 3836 wrote to memory of 4128	3836	svchost.exe	explorer.exe
PID 3836 wrote to memory of 4128	3836	svchost.exe	explorer.exe
PID 3836 wrote to memory of 116	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 116	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 116	3836	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe
"C:\Users\Admin\AppData\Local\Temp\11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\svchost.exe
"svchost.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:4436

C:\Windows\SysWOW64\explorer.exe
"explorer.exe"
3⤵
PID:4128

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-155-0x0000000003700000-0x0000000003726000-memory.dmp

Filesize
152KB

Download
memory/116-154-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/116-153-0x0000000003700000-0x0000000003726000-memory.dmp

Filesize
152KB

Download
memory/116-152-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/116-151-0x0000000003700000-0x0000000003726000-memory.dmp

Filesize
152KB

Download
memory/116-150-0x0000000001000000-0x00000000010CE000-memory.dmp

Filesize
824KB

Download
memory/116-149-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/116-148-0x0000000000000000-mapping.dmp

Download
memory/3836-145-0x0000000000800000-0x00000000008CE000-memory.dmp

Filesize
824KB

Download
memory/3836-134-0x0000000000000000-mapping.dmp

Download
memory/3836-137-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/3836-139-0x0000000000800000-0x00000000008CE000-memory.dmp

Filesize
824KB

Download
memory/4128-144-0x00000000014A0000-0x000000000156E000-memory.dmp

Filesize
824KB

Download
memory/4128-147-0x00000000014A0000-0x000000000156E000-memory.dmp

Filesize
824KB

Download
memory/4128-143-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/4128-142-0x0000000000000000-mapping.dmp

Download
memory/4436-146-0x00000000008F0000-0x00000000009BE000-memory.dmp

Filesize
824KB

Download
memory/4436-141-0x00000000008F0000-0x00000000009BE000-memory.dmp

Filesize
824KB

Download
memory/4436-140-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/4436-138-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4828-136-0x00000000007E0000-0x000000000081F000-memory.dmp

Filesize
252KB

Download
memory/4828-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4828-133-0x00000000007E0000-0x000000000081F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads