modiloader | a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

General

Target

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
Size

1.1MB
MD5

9d7f8cd2078bb3f8f73236f51e1e5674
SHA1

fd6fe5aafeb1d5b9994b3133579507f23948f555
SHA256

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a
SHA512

0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c
SSDEEP

24576:yEzLCFOoz9//Q9djUE1bNJT4qodm8D9U5:Ds//Q9FFCDC

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/548-58-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1076-68-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1076-69-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

Adobeimg.exeAdobeimg.exe

pid process

376 Adobeimg.exe
1076 Adobeimg.exe

pid	process
376	Adobeimg.exe
1076	Adobeimg.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exeAdobeimg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Adobeimg.exe

Loads dropped DLL 2 IoCs

Processes:

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe

pid	process
548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Adobeimg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobeimg = "C:\\Users\\Admin\\AppData\\Roaming\\Adobeimg.exe"	Adobeimg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exeAdobeimg.exe

description	pid	process	target process
PID 868 set thread context of 548	868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
PID 376 set thread context of 1076	376	Adobeimg.exe	Adobeimg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exeAdobeimg.exe

pid	process
868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
376	Adobeimg.exe
376	Adobeimg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exea8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exeAdobeimg.exe

description	pid	process	target process
PID 868 wrote to memory of 548	868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
PID 868 wrote to memory of 548	868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
PID 868 wrote to memory of 548	868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
PID 868 wrote to memory of 548	868	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
PID 548 wrote to memory of 376	548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	Adobeimg.exe
PID 548 wrote to memory of 376	548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	Adobeimg.exe
PID 548 wrote to memory of 376	548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	Adobeimg.exe
PID 548 wrote to memory of 376	548	a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe	Adobeimg.exe
PID 376 wrote to memory of 1076	376	Adobeimg.exe	Adobeimg.exe
PID 376 wrote to memory of 1076	376	Adobeimg.exe	Adobeimg.exe
PID 376 wrote to memory of 1076	376	Adobeimg.exe	Adobeimg.exe
PID 376 wrote to memory of 1076	376	Adobeimg.exe	Adobeimg.exe

C:\Users\Admin\AppData\Local\Temp\a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
"C:\Users\Admin\AppData\Local\Temp\a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe
"C:\Users\Admin\AppData\Local\Temp\a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\Adobeimg.exe
"C:\Users\Admin\AppData\Roaming\Adobeimg.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Roaming\Adobeimg.exe
"C:\Users\Admin\AppData\Roaming\Adobeimg.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobeimg.exe
Filesize
1.1MB

MD5
9d7f8cd2078bb3f8f73236f51e1e5674

SHA1
fd6fe5aafeb1d5b9994b3133579507f23948f555

SHA256
a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

SHA512
0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobeimg.exe
Filesize
1.1MB

MD5
9d7f8cd2078bb3f8f73236f51e1e5674

SHA1
fd6fe5aafeb1d5b9994b3133579507f23948f555

SHA256
a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

SHA512
0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobeimg.exe
Filesize
1.1MB

MD5
9d7f8cd2078bb3f8f73236f51e1e5674

SHA1
fd6fe5aafeb1d5b9994b3133579507f23948f555

SHA256
a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

SHA512
0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c

Download Submit
\Users\Admin\AppData\Roaming\Adobeimg.exe
Filesize
1.1MB

MD5
9d7f8cd2078bb3f8f73236f51e1e5674

SHA1
fd6fe5aafeb1d5b9994b3133579507f23948f555

SHA256
a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

SHA512
0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c

Download Submit
\Users\Admin\AppData\Roaming\Adobeimg.exe
Filesize
1.1MB

MD5
9d7f8cd2078bb3f8f73236f51e1e5674

SHA1
fd6fe5aafeb1d5b9994b3133579507f23948f555

SHA256
a8b8fb4481a5864ff034c55e3a01c94049ed90a06a66221d5dec3b118180fa9a

SHA512
0df765a5ead4c34d3e634a7a5b72203cf7d3c61e3720a343515e348850654684c743e04334feeee8bbb87089ae22edf32f37dfec888c9a3fda3a96e9c6af821c

Download Submit
memory/376-61-0x0000000000000000-mapping.dmp

Download
memory/548-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-55-0x00000000004082E8-mapping.dmp

Download
memory/868-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download
memory/868-56-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/1076-65-0x00000000004082E8-mapping.dmp

Download
memory/1076-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1076-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads