modiloader | 174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1

General

Target

174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
Size

416KB
MD5

e09d110c163d7fa4cbb0e2eada55ad2e
SHA1

a06a7a4c576e771cb42f40040e59b695c574adc9
SHA256

174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1
SHA512

8ed4b2aca37c95eb91014289f4b18934b0d4080f5cc5265b55cfdb42e0cdbead3b2800f488fb0f78769ba2f78764dce8ad0d0910d93e0e2f62a890a2a73dc2f3
SSDEEP

6144:92pzkx73KLxCXNg7CCwWX5xqmigHLkR08CCdOGV8c65AcOlpotWlLjW/z6:op276Uz+fqmieeZtJ6mcOzoINyL6

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4248-132-0x0000000000400000-0x000000000046E000-memory.dmp	modiloader_stage2
behavioral2/memory/4440-135-0x0000000000540000-0x0000000000608000-memory.dmp	modiloader_stage2
behavioral2/memory/2720-138-0x0000000000660000-0x0000000000728000-memory.dmp	modiloader_stage2
behavioral2/memory/4248-139-0x0000000000400000-0x000000000046E000-memory.dmp	modiloader_stage2
behavioral2/memory/4248-140-0x0000000000400000-0x0000000000438000-memory.dmp	modiloader_stage2
behavioral2/memory/4440-142-0x0000000000540000-0x0000000000608000-memory.dmp	modiloader_stage2
behavioral2/memory/1564-144-0x0000000000E00000-0x0000000000EC8000-memory.dmp	modiloader_stage2
behavioral2/memory/1564-145-0x0000000000E00000-0x0000000000EC8000-memory.dmp	modiloader_stage2
behavioral2/memory/2720-146-0x0000000000660000-0x0000000000728000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-149-0x0000000000670000-0x0000000000738000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-151-0x0000000000670000-0x0000000000738000-memory.dmp	modiloader_stage2
behavioral2/memory/4512-153-0x0000000000670000-0x0000000000738000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{645cad43-783d-4cfb-a1ea-b4ffe0ace049} = "\"C:\\ProgramData\\Microsoft\\{645cad43-783d-4cfb-a1ea-b4ffe0ace049}\\{645cad43-783d-4cfb-a1ea-b4ffe0ace049}.exe\""	svchost.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{645cad43-783d-4cfb-a1ea-b4ffe0ace049} = "\"C:\\ProgramData\\Microsoft\\{645cad43-783d-4cfb-a1ea-b4ffe0ace049}\\{645cad43-783d-4cfb-a1ea-b4ffe0ace049}.exe\""	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3360 4248 WerFault.exe 174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe

pid	pid_target	process	target process
3360	4248	WerFault.exe	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\svchost.exe = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exesvchost.exe

pid	process
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exesvchost.exe

pid	process
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe
4440	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exesvchost.exe

description	pid	process	target process
PID 4248 wrote to memory of 4440	4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe	svchost.exe
PID 4248 wrote to memory of 4440	4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe	svchost.exe
PID 4248 wrote to memory of 4440	4248	174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe	svchost.exe
PID 4440 wrote to memory of 2720	4440	svchost.exe	svchost.exe
PID 4440 wrote to memory of 2720	4440	svchost.exe	svchost.exe
PID 4440 wrote to memory of 2720	4440	svchost.exe	svchost.exe
PID 4440 wrote to memory of 1564	4440	svchost.exe	explorer.exe
PID 4440 wrote to memory of 1564	4440	svchost.exe	explorer.exe
PID 4440 wrote to memory of 1564	4440	svchost.exe	explorer.exe
PID 4440 wrote to memory of 4512	4440	svchost.exe	svchost.exe
PID 4440 wrote to memory of 4512	4440	svchost.exe	svchost.exe
PID 4440 wrote to memory of 4512	4440	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe
"C:\Users\Admin\AppData\Local\Temp\174a89845245b9d2d44fa683d7f21e78ac9dbee69212c17770b204ca2c1f51d1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\svchost.exe
"svchost.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:2720

C:\Windows\SysWOW64\explorer.exe
"explorer.exe"
3⤵
PID:1564

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 140
2⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4248 -ip 4248
1⤵
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-143-0x0000000000610000-0x0000000000A43000-memory.dmp

Filesize
4.2MB

Download
memory/1564-145-0x0000000000E00000-0x0000000000EC8000-memory.dmp

Filesize
800KB

Download
memory/1564-144-0x0000000000E00000-0x0000000000EC8000-memory.dmp

Filesize
800KB

Download
memory/1564-141-0x0000000000000000-mapping.dmp

Download
memory/2720-146-0x0000000000660000-0x0000000000728000-memory.dmp

Filesize
800KB

Download
memory/2720-136-0x0000000000000000-mapping.dmp

Download
memory/2720-137-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2720-138-0x0000000000660000-0x0000000000728000-memory.dmp

Filesize
800KB

Download
memory/4248-139-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4248-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4248-132-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4440-142-0x0000000000540000-0x0000000000608000-memory.dmp

Filesize
800KB

Download
memory/4440-135-0x0000000000540000-0x0000000000608000-memory.dmp

Filesize
800KB

Download
memory/4440-134-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/4440-133-0x0000000000000000-mapping.dmp

Download
memory/4512-147-0x0000000000000000-mapping.dmp

Download
memory/4512-148-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/4512-149-0x0000000000670000-0x0000000000738000-memory.dmp

Filesize
800KB

Download
memory/4512-150-0x0000000002D80000-0x0000000002DA6000-memory.dmp

Filesize
152KB

Download
memory/4512-151-0x0000000000670000-0x0000000000738000-memory.dmp

Filesize
800KB

Download
memory/4512-152-0x0000000002D80000-0x0000000002DA6000-memory.dmp

Filesize
152KB

Download
memory/4512-153-0x0000000000670000-0x0000000000738000-memory.dmp

Filesize
800KB

Download
memory/4512-154-0x0000000002D80000-0x0000000002DA6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads