modiloader | 8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27

General

Target

8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe
Size

128KB
MD5

71551782d47b92b80486f82e858b1ed2
SHA1

e4a0e060964ea2a20d0d2840b88b352d84157953
SHA256

8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27
SHA512

d91501c79018cd042dce05bf3d93fc4efe67e4f10877825242c705dce3b719fd0f1af5a4a29eb29f76672322771cad560a7d702789daa086c1291450979da756
SSDEEP

1536:iT5P8baNnG32h4lUnGUK7PeB5/qKbFUt3x/BNgfZKKha3luHBVZx84WQmyyyb2I9:Qqd2h4XLPq9bFcgfIKhaVCiEQ0dj6c

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/844-71-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1076-73-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1076-74-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

MSN.exemstwain32.exe

pid process

844 MSN.exe
1076 mstwain32.exe

pid	process
844	MSN.exe
1076	mstwain32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MSN.exe	upx
\Users\Admin\AppData\Local\Temp\MSN.exe	upx
C:\Users\Admin\AppData\Local\Temp\MSN.exe	upx
behavioral1/memory/844-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MSN.exe	upx
\Users\Admin\AppData\Local\Temp\MSN.exe	upx
C:\Windows\mstwain32.exe	upx
behavioral1/memory/844-71-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1076-73-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1076-74-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exeMSN.exe

pid	process
1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe
1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe
844	MSN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mstwain32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mstwain32.exeMSN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSN.exe

Drops file in Windows directory 4 IoCs

Processes:

mstwain32.exeMSN.exe

description	ioc	process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	MSN.exe
File opened for modification	C:\Windows\mstwain32.exe	MSN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

556 1500 WerFault.exe 8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe

pid	pid_target	process	target process
556	1500	WerFault.exe	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

MSN.exevssvc.exemstwain32.exe

description	pid	process
Token: SeDebugPrivilege	844	MSN.exe
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe
Token: SeDebugPrivilege	1076	mstwain32.exe
Token: SeDebugPrivilege	1076	mstwain32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exemstwain32.exe

pid process

1500 8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe
1076 mstwain32.exe
1076 mstwain32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exeMSN.exe

description	pid	process	target process
PID 1500 wrote to memory of 844	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	MSN.exe
PID 1500 wrote to memory of 844	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	MSN.exe
PID 1500 wrote to memory of 844	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	MSN.exe
PID 1500 wrote to memory of 844	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	MSN.exe
PID 1500 wrote to memory of 556	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	WerFault.exe
PID 1500 wrote to memory of 556	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	WerFault.exe
PID 1500 wrote to memory of 556	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	WerFault.exe
PID 1500 wrote to memory of 556	1500	8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe	WerFault.exe
PID 844 wrote to memory of 1076	844	MSN.exe	mstwain32.exe
PID 844 wrote to memory of 1076	844	MSN.exe	mstwain32.exe
PID 844 wrote to memory of 1076	844	MSN.exe	mstwain32.exe
PID 844 wrote to memory of 1076	844	MSN.exe	mstwain32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe
"C:\Users\Admin\AppData\Local\Temp\8f8653112816d42653f9b33330762c3116fff6b9b844c82bbdf719516bc08b27.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\MSN.exe
  "C:\Users\Admin\AppData\Local\Temp\MSN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\MSN.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 472
  2⤵
  - Program crash
  PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
C:\Windows\mstwain32.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
108KB

MD5
0a24d944a7fdf31f7a1986a6aa5e022a

SHA1
adab0c3b351fa9cdf2c258575873ba7aeec980f8

SHA256
3a869a5b68cf58ca853c6fc10363cb249017c8c88abb3ee332c54407aac00c0a

SHA512
5e7115e7591facbf3a4235d61411efe1633f2d99145f99ebe6ac7d48a01a44ca624c5efc2873876dcb8991558c4f3f28c9ba52bb6947d8669a940f47115cfffc

Download Submit
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/844-59-0x0000000000000000-mapping.dmp

Download
memory/844-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/844-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1076-72-0x0000000001D90000-0x0000000001D9E000-memory.dmp

Filesize
56KB

Download
memory/1076-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1076-68-0x0000000000000000-mapping.dmp

Download
memory/1076-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1500-63-0x0000000002C60000-0x0000000002CB0000-memory.dmp

Filesize
320KB

Download
memory/1500-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1500-62-0x0000000002C60000-0x0000000002CB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads