modiloader | d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a

General

Target

d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe
Size

429KB
MD5

0de9d536408cc6b64279fe61647a9a3b
SHA1

63fa4bedbe88536a6d5dcc059e2930733b8806bb
SHA256

d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a
SHA512

0c671cdf13df64692c64d43f30f864870657c5d43906c6497a06bc6035012c8dea7bf43541cb3744c484fe77979cb6bba57f0502a400bbc66bcf3d2a53b359dd
SSDEEP

6144:sWrauokkwa+lHZcQHAB4+6qdrK4gt5MNsXhmwQXwRItnjqXoVYzlEp3e8o:uuox34a24gXM2hmwcwRItjqxzg3e

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\serve turco.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\serve turco.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\serve turco.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\serve turco.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\serve turco.exe	modiloader_stage2
C:\Windows\mstwain32.exe	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

serve turco.exemstwain32.exe

pid process

1608 serve turco.exe
668 mstwain32.exe

pid	process
1608	serve turco.exe
668	mstwain32.exe

Loads dropped DLL 3 IoCs

Processes:

d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exeserve turco.exe

pid	process
2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe
2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe
1608	serve turco.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mstwain32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

serve turco.exemstwain32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	serve turco.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

Processes:

serve turco.exemstwain32.exe

description	ioc	process
File created	C:\Windows\mstwain32.exe	serve turco.exe
File opened for modification	C:\Windows\mstwain32.exe	serve turco.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

serve turco.exevssvc.exemstwain32.exe

description	pid	process
Token: SeDebugPrivilege	1608	serve turco.exe
Token: SeBackupPrivilege	632	vssvc.exe
Token: SeRestorePrivilege	632	vssvc.exe
Token: SeAuditPrivilege	632	vssvc.exe
Token: SeDebugPrivilege	668	mstwain32.exe
Token: SeDebugPrivilege	668	mstwain32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

112 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mstwain32.exe

pid process

668 mstwain32.exe
668 mstwain32.exe

pid	process
112	DllHost.exe

pid	process
668	mstwain32.exe
668	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exeserve turco.exe

description	pid	process	target process
PID 2044 wrote to memory of 1608	2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe	serve turco.exe
PID 2044 wrote to memory of 1608	2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe	serve turco.exe
PID 2044 wrote to memory of 1608	2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe	serve turco.exe
PID 2044 wrote to memory of 1608	2044	d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe	serve turco.exe
PID 1608 wrote to memory of 668	1608	serve turco.exe	mstwain32.exe
PID 1608 wrote to memory of 668	1608	serve turco.exe	mstwain32.exe
PID 1608 wrote to memory of 668	1608	serve turco.exe	mstwain32.exe
PID 1608 wrote to memory of 668	1608	serve turco.exe	mstwain32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe
"C:\Users\Admin\AppData\Local\Temp\d08128d1668185936a409284aacbdfed84d2127e15adbe4b3d1a39de37ac054a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\serve turco.exe
  "C:\Users\Admin\AppData\Local\Temp\serve turco.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\serve turco.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\as-mais-gostosas-mulheres.jpg

Filesize
31KB

MD5
243aecd2164baac920a005520a712172

SHA1
a6e7ceed6089f218acf600b238a445d3f623e05d

SHA256
8cc18a371e6ed29f91ef55ca924f29c21f91025d97926c0dea238f9c86834483

SHA512
a4cad2ce3ec029aa967dac7d05163493d398bf478b804a5dedb6a7f27f735bbf519df014ceda2aa98255604c98d6cd5a7f76c7116c6d013c2903395532ca8080

Download Submit
C:\Users\Admin\AppData\Local\Temp\serve turco.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\serve turco.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
C:\Windows\mstwain32.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
\Users\Admin\AppData\Local\Temp\serve turco.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
\Users\Admin\AppData\Local\Temp\serve turco.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
\Users\Admin\AppData\Local\Temp\serve turco.exe

Filesize
270KB

MD5
ea018561e6a70e6fce6329699637f18d

SHA1
0fbf42e058a799ac7cab1f9d3a67303476aad86b

SHA256
fe03c4b0ce216a0f14550418bbceea2e02efbc130e0da7e64482d7cf13d2359f

SHA512
cb2f7949356fd5c3b55943652d10d945ef47503557f27befff93a89351ff7d7bfc0fce54ce1d077bcfbac7e58690ae4ff948c2d8b338ddba5053fb90208fdefa

Download Submit
memory/668-69-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/668-66-0x0000000000000000-mapping.dmp

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads