modiloader | d7d8371a9da125ecb4b8d8e0f136ce7a610354cd0a968048ea280cafe76c87ea

General

Target

lxxtbsq/Lx_Speed 1.5 Beta1.exe
Size

2.2MB
MD5

d5fdd0a32bc734cc4abb7c39921c0051
SHA1

cca76e39f9c9e7a9dbb4544b275669e297edc522
SHA256

b3e4ec4f0233a46af22a024643deae26f6b1455b45dba5f5a3d6d59019a4b172
SHA512

e354883e69d7d538a7c37042d1b1ebf7499b987dba4d0464da492f9f9963c646689b394c069abfeaabc2ced9818511dd51e5685e29adace962c969b43f03a7cf
SSDEEP

49152:HeZ6epYyulT8r+d/PJOwKkfbPqm9QpDHfjuWULBtmQqvzUHe:HeseyvPJh9f2m9Q9HftULTmvvzUHe

Score

10^/10

modiloader trojan upx vmprotect

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/980-65-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral1/memory/980-66-0x0000000000499F34-mapping.dmp	modiloader_stage2
behavioral1/memory/980-68-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral1/memory/980-71-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral1/memory/980-74-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2
behavioral1/memory/980-75-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

pid process

1924 LianXue_WPE.exe
980 LianXue_WPE.exe

pid	process
1924	LianXue_WPE.exe
980	LianXue_WPE.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe	upx
behavioral1/memory/1924-69-0x0000000000400000-0x0000000000565000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2016-55-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral1/memory/2016-57-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral1/memory/2016-58-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect
behavioral1/memory/2016-76-0x0000000000400000-0x00000000008EB000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

Lx_Speed 1.5 Beta1.exeLianXue_WPE.exe

pid process

2016 Lx_Speed 1.5 Beta1.exe
2016 Lx_Speed 1.5 Beta1.exe
1924 LianXue_WPE.exe
Drops file in System32 directory 1 IoCs

Processes:

LianXue_WPE.exe

description ioc process

File created C:\Windows\SysWOW64\2010.txt LianXue_WPE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\2010.txt	LianXue_WPE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

LianXue_WPE.exeLianXue_WPE.exe

description	pid	process	target process
PID 1924 set thread context of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 980 set thread context of 560	980	LianXue_WPE.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376310877"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87DFF871-6E40-11ED-AD72-5E7A81A7298C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Lx_Speed 1.5 Beta1.exe

pid process

2016 Lx_Speed 1.5 Beta1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

560 IEXPLORE.EXE

pid	process
560	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Lx_Speed 1.5 Beta1.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2016	Lx_Speed 1.5 Beta1.exe
2016	Lx_Speed 1.5 Beta1.exe
560	IEXPLORE.EXE
560	IEXPLORE.EXE
568	IEXPLORE.EXE
568	IEXPLORE.EXE
568	IEXPLORE.EXE
568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Lx_Speed 1.5 Beta1.exeLianXue_WPE.exeLianXue_WPE.exeIEXPLORE.EXE

description	pid	process	target process
PID 2016 wrote to memory of 1924	2016	Lx_Speed 1.5 Beta1.exe	LianXue_WPE.exe
PID 2016 wrote to memory of 1924	2016	Lx_Speed 1.5 Beta1.exe	LianXue_WPE.exe
PID 2016 wrote to memory of 1924	2016	Lx_Speed 1.5 Beta1.exe	LianXue_WPE.exe
PID 2016 wrote to memory of 1924	2016	Lx_Speed 1.5 Beta1.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 1924 wrote to memory of 980	1924	LianXue_WPE.exe	LianXue_WPE.exe
PID 980 wrote to memory of 560	980	LianXue_WPE.exe	IEXPLORE.EXE
PID 980 wrote to memory of 560	980	LianXue_WPE.exe	IEXPLORE.EXE
PID 980 wrote to memory of 560	980	LianXue_WPE.exe	IEXPLORE.EXE
PID 980 wrote to memory of 560	980	LianXue_WPE.exe	IEXPLORE.EXE
PID 980 wrote to memory of 560	980	LianXue_WPE.exe	IEXPLORE.EXE
PID 560 wrote to memory of 568	560	IEXPLORE.EXE	IEXPLORE.EXE
PID 560 wrote to memory of 568	560	IEXPLORE.EXE	IEXPLORE.EXE
PID 560 wrote to memory of 568	560	IEXPLORE.EXE	IEXPLORE.EXE
PID 560 wrote to memory of 568	560	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\lxxtbsq\Lx_Speed 1.5 Beta1.exe
"C:\Users\Admin\AppData\Local\Temp\lxxtbsq\Lx_Speed 1.5 Beta1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
  C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
    C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F3XBTXS0.txt

Filesize
603B

MD5
23590845fa9ffceef1de96a93b8cbe2f

SHA1
35d07f958efc686ddcea5a7483d06eed538cabed

SHA256
aedb4b4c4c4a5dafaa07edffeffb24fa8c513e452eeb7feec90ff3e330a8e724

SHA512
7cde54da05a6f8ee0a7a67920a394045cbe26f0fa8cdb9a7f06ac9539cdda615cf81143a138b8b196e35b4676bbd3ee1360ef269629347d8b0e25386706ac9bc

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe

Filesize
702KB

MD5
c7734ebabc26a1989a0f151abe699a18

SHA1
4bfc5c8f96d220b0b768b266f0ad9a6020644938

SHA256
2e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b

SHA512
e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf

Download Submit
memory/980-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/980-68-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/980-75-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/980-74-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/980-65-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/980-66-0x0000000000499F34-mapping.dmp

Download
memory/1924-61-0x0000000000000000-mapping.dmp

Download
memory/1924-69-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2016-73-0x00000000033F0000-0x0000000003555000-memory.dmp

Filesize
1.4MB

Download
memory/2016-55-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2016-58-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2016-72-0x00000000033F0000-0x0000000003555000-memory.dmp

Filesize
1.4MB

Download
memory/2016-57-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2016-76-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2016-77-0x00000000033F0000-0x0000000003555000-memory.dmp

Filesize
1.4MB

Download
memory/2016-78-0x00000000033F0000-0x0000000003555000-memory.dmp

Filesize
1.4MB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads