modiloader | 7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076

General

Target

7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe
Size

1.7MB
MD5

f37023c41ae712e20595650fcc5f06d2
SHA1

f1d0887b2d2c3788b73ba4aefcc0d060d6bfeedd
SHA256

7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076
SHA512

8b27218a41f69e743f11630eb31e5d8af472c688598f438f057a3f65aa2c2644eacd39286aecb090c2343e94ed481a1a291382402b297a7a7b52949ff6c2e643
SSDEEP

24576:nZXBJxLVwqSdNLRlJMXVWxaC5wa1tqqdXE+86TZStU4gf2EW5A2DJr/kS4vGIk6O:FrxBHofJMXGnrvi+RTZh43Dp/wPHXW

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

EXE_temp0.exeEXE_temp1.exeEXE_temp2.exerecyclers-s-5-1-21.exe

pid process

4836 EXE_temp0.exe
2424 EXE_temp1.exe
4484 EXE_temp2.exe
4716 recyclers-s-5-1-21.exe
Loads dropped DLL 2 IoCs

Processes:

recyclers-s-5-1-21.exe

pid process

4716 recyclers-s-5-1-21.exe
4716 recyclers-s-5-1-21.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5060 4836 WerFault.exe EXE_temp0.exe

pid	process
4836	EXE_temp0.exe
2424	EXE_temp1.exe
4484	EXE_temp2.exe
4716	recyclers-s-5-1-21.exe

pid	process
4716	recyclers-s-5-1-21.exe
4716	recyclers-s-5-1-21.exe

pid	pid_target	process	target process
5060	4836	WerFault.exe	EXE_temp0.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

recyclers-s-5-1-21.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	recyclers-s-5-1-21.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	recyclers-s-5-1-21.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	recyclers-s-5-1-21.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	recyclers-s-5-1-21.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	recyclers-s-5-1-21.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EXE_temp2.exerecyclers-s-5-1-21.exe

description pid process

Token: SeDebugPrivilege 4484 EXE_temp2.exe
Token: SeDebugPrivilege 4716 recyclers-s-5-1-21.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

recyclers-s-5-1-21.exe

pid process

4716 recyclers-s-5-1-21.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

recyclers-s-5-1-21.exe

pid process

4716 recyclers-s-5-1-21.exe
4716 recyclers-s-5-1-21.exe

description	pid	process
Token: SeDebugPrivilege	4484	EXE_temp2.exe
Token: SeDebugPrivilege	4716	recyclers-s-5-1-21.exe

pid	process
4716	recyclers-s-5-1-21.exe

pid	process
4716	recyclers-s-5-1-21.exe
4716	recyclers-s-5-1-21.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exeEXE_temp1.exerecyclers-s-5-1-21.exe

description	pid	process	target process
PID 3408 wrote to memory of 4836	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp0.exe
PID 3408 wrote to memory of 4836	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp0.exe
PID 3408 wrote to memory of 4836	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp0.exe
PID 3408 wrote to memory of 2424	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp1.exe
PID 3408 wrote to memory of 2424	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp1.exe
PID 3408 wrote to memory of 2424	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp1.exe
PID 3408 wrote to memory of 4484	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp2.exe
PID 3408 wrote to memory of 4484	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp2.exe
PID 3408 wrote to memory of 4484	3408	7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe	EXE_temp2.exe
PID 2424 wrote to memory of 2700	2424	EXE_temp1.exe	IEXPLORE.EXE
PID 2424 wrote to memory of 2700	2424	EXE_temp1.exe	IEXPLORE.EXE
PID 4716 wrote to memory of 4652	4716	recyclers-s-5-1-21.exe	IEXPLORE.EXE
PID 4716 wrote to memory of 4652	4716	recyclers-s-5-1-21.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe
"C:\Users\Admin\AppData\Local\Temp\7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe
"C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe"
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 504
3⤵
- Program crash
PID:5060

C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe
"C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exe
"C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
1⤵
PID:2412

C:\RECYCLER\recyclers-s-5-1-21.exe
C:\RECYCLER\recyclers-s-5-1-21.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\BBSHCX.DAT
Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\RECYCLER\BBSHCX.DAT
Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\RECYCLER\BBSHCX.DAT
Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\RECYCLER\recyclers-s-5-1-21.exe
Filesize
795KB

MD5
6d4c27a39686689f98a83de90383ebc8

SHA1
13c37e67230033dc729c99c83da593f1af634908

SHA256
60b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43

SHA512
d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748

Download Submit
C:\RECYCLER\recyclers-s-5-1-21.exe
Filesize
795KB

MD5
6d4c27a39686689f98a83de90383ebc8

SHA1
13c37e67230033dc729c99c83da593f1af634908

SHA256
60b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43

SHA512
d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe
Filesize
250KB

MD5
eec13aa4885914e23037b5d69f982cd5

SHA1
feccd45713f84c5e3729b0660fdb054cb816df34

SHA256
bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9

SHA512
42ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe
Filesize
681KB

MD5
b8d8384b8ff97032e7230dd020763ebd

SHA1
21b53995c976ac5e9d749ce090ee7494beeca44d

SHA256
43d33251a3ccfa19c940d875d1861a9f1606eaa3afdecc2c30118e2dd9a5a0d7

SHA512
7a04e45417b8571cf0722fbcbd40f693da9c6a9bbca72e1577ae3b6024dd3df88cb07b87efc300f584a16e2dd4d64834841939d2bef3365e39e0b362f5cda13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exe
Filesize
795KB

MD5
6d4c27a39686689f98a83de90383ebc8

SHA1
13c37e67230033dc729c99c83da593f1af634908

SHA256
60b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43

SHA512
d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748

Download Submit
memory/2424-134-0x0000000000000000-mapping.dmp

Download
memory/4484-136-0x0000000000000000-mapping.dmp

Download
memory/4716-145-0x0000000001670000-0x0000000001681000-memory.dmp

Filesize
68KB

Download
memory/4836-138-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4836-141-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4836-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads