modiloader | ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc

General

Target

ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
Size

352KB
MD5

7a60ce64e7fd84d41e2852c0b26f8694
SHA1

b7099c4e097d060f296748bc14ef93d9b4243fa0
SHA256

ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc
SHA512

df9561e92aedcf1812118cb3a50ab3b039315189ca39a059a1d3593b18dbba2626b9da3b10ac99ad6d6f547d9062fa66218799fb770a3d9c8dab8a88478e913d
SSDEEP

3072:CPkV3CEwdOR51PCjVmDIjnUCL/PR76xUUA51RRpaZntcVjy/DU6W4ij0UiJd9QTw:CN1oZn+VGrU68xe9QTl+t1gZn9vMikbf

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 4916 mshta.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4916	mshta.exe

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1204-134-0x0000000000000000-mapping.dmp	modiloader_stage2
behavioral2/memory/1204-135-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral2/memory/1204-137-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral2/memory/1204-138-0x0000000000400000-0x000000000043A000-memory.dmp	modiloader_stage2
behavioral2/memory/1204-139-0x00000000009C0000-0x0000000000A96000-memory.dmp	modiloader_stage2
behavioral2/memory/1204-142-0x00000000009C0000-0x0000000000A96000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe

description	pid	process	target process
PID 2992 set thread context of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

212 powershell.exe
212 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 212 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe

pid process

2992 ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe

pid	process
212	powershell.exe
212	powershell.exe

description	pid	process
Token: SeDebugPrivilege	212	powershell.exe

pid	process
2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exemshta.exe

description	pid	process	target process
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 2992 wrote to memory of 1204	2992	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe	ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
PID 4304 wrote to memory of 212	4304	mshta.exe	powershell.exe
PID 4304 wrote to memory of 212	4304	mshta.exe	powershell.exe
PID 4304 wrote to memory of 212	4304	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
"C:\Users\Admin\AppData\Local\Temp\ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe
  "C:\Users\Admin\AppData\Local\Temp\ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc.exe"
  2⤵
  PID:1204

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:M1mdexh="x";v1m=new%20ActiveXObject("WScript.Shell");kjoA2X="I2qrEy";ud8yn8=v1m.RegRead("HKLM\\software\\Wow6432Node\\nxsDvx\\mWDqhgl");xv1iIFH="7yK1d";eval(ud8yn8);s8bbeT1="4Ku";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:kydpfvc
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-145-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/212-150-0x0000000006930000-0x000000000694A000-memory.dmp

Filesize
104KB

Download
memory/212-149-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/212-148-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/212-147-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/212-141-0x0000000000000000-mapping.dmp

Download
memory/212-146-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/212-143-0x00000000050B0000-0x00000000050E6000-memory.dmp

Filesize
216KB

Download
memory/212-144-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/1204-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1204-142-0x00000000009C0000-0x0000000000A96000-memory.dmp

Filesize
856KB

Download
memory/1204-139-0x00000000009C0000-0x0000000000A96000-memory.dmp

Filesize
856KB

Download
memory/1204-134-0x0000000000000000-mapping.dmp

Download
memory/1204-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1204-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads