modiloader | bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d

Analysis

max time kernel
184s
max time network
81s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
Size

3.3MB
MD5

fff0cbc6f4ec205fabeba245be97d259
SHA1

499e4652cb5fbd91dabbdffa0b419c0f29d0daf6
SHA256

bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d
SHA512

79f247a035d8702bfa58a999315ac82834b0c2501386877e4edaf6a4d55c755a3037b648d4053af5adde62efa7eb3511aefe02668e2b1aedc8df6d2ff151973b
SSDEEP

49152:Xo0qDjr7L1GTxetCy+t+7qgXB0dIHpTlMk417qKVMsbiaZ7MU1zwibOUAbqWHldN:Xw7xi0tegOgXZHgNpfVZlwiyUAbXp

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Internet Velox.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Internet Velox.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Internet Velox.exe

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/636-71-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/636-77-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

Internet Velox.exe

pid process

636 Internet Velox.exe

pid	process
636	Internet Velox.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Internet Velox.exe	upx
\Users\Admin\AppData\Local\Temp\Internet Velox.exe	upx
\Users\Admin\AppData\Local\Temp\Internet Velox.exe	upx
\Users\Admin\AppData\Local\Temp\Internet Velox.exe	upx
C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe	upx
behavioral1/memory/636-71-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/636-77-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exeInternet Velox.exe

pid	process
1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
636	Internet Velox.exe
636	Internet Velox.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Internet Velox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Internet Velox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Internet Velox.exe

Drops file in Windows directory 1 IoCs

Processes:

Internet Velox.exe

description ioc process

File created C:\Windows\VMPipe32.dll Internet Velox.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

780 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

520 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

520 vlc.exe

description	ioc	process
File created	C:\Windows\VMPipe32.dll	Internet Velox.exe

pid	process
780	NOTEPAD.EXE

pid	process
520	vlc.exe

pid	process
520	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Internet Velox.exeAUDIODG.EXEvlc.exe

description	pid	process
Token: SeDebugPrivilege	636	Internet Velox.exe
Token: SeDebugPrivilege	636	Internet Velox.exe
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	520	vlc.exe
Token: SeIncBasePriorityPrivilege	520	vlc.exe
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vlc.exe

pid process

520 vlc.exe
520 vlc.exe
520 vlc.exe
520 vlc.exe
520 vlc.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

vlc.exe

pid process

520 vlc.exe
520 vlc.exe
520 vlc.exe
520 vlc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Internet Velox.exevlc.exe

pid process

636 Internet Velox.exe
636 Internet Velox.exe
520 vlc.exe

pid	process
520	vlc.exe
520	vlc.exe
520	vlc.exe
520	vlc.exe
520	vlc.exe

pid	process
520	vlc.exe
520	vlc.exe
520	vlc.exe
520	vlc.exe

pid	process
636	Internet Velox.exe
636	Internet Velox.exe
520	vlc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe

description	pid	process	target process
PID 1308 wrote to memory of 780	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 780	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 780	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 780	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 568	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 568	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 568	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 568	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	NOTEPAD.EXE
PID 1308 wrote to memory of 520	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	vlc.exe
PID 1308 wrote to memory of 520	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	vlc.exe
PID 1308 wrote to memory of 520	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	vlc.exe
PID 1308 wrote to memory of 520	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	vlc.exe
PID 1308 wrote to memory of 636	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	Internet Velox.exe
PID 1308 wrote to memory of 636	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	Internet Velox.exe
PID 1308 wrote to memory of 636	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	Internet Velox.exe
PID 1308 wrote to memory of 636	1308	bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe	Internet Velox.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Internet Velox.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Internet Velox.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Internet Velox.exe

C:\Users\Admin\AppData\Local\Temp\bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe
"C:\Users\Admin\AppData\Local\Temp\bf9069558b9dfefd2aca618fba259e198233b944f11995eeb80dd953c079eb6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AdvancedOptions.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:780
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe.log
  2⤵
  PID:568
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\13 - pra ser feliz.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe
  "C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x588
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13 - pra ser feliz.mp3

Filesize
2.9MB

MD5
5f8f42e1b05b4fbb2668f850cd023d4e

SHA1
d6f9da6e5c732af28d39a5c8f9ec7488a675b0a7

SHA256
6ad83446763ae9252fdaa4a1f9f5e56ded05c79e4b227a66899cf6cc0908ba71

SHA512
97bda4c464abc468cb35ace0831802614fcee2dd4cfb7e8084df662a53cb4cd8a2643d693b74f34f8ee4da42cf75137933ed2ca8ecc3c3e895a05ffbb9c39ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedOptions.ini

Filesize
65B

MD5
fc8ff7ea8d00b033b09a84e8a85d5441

SHA1
db7d2dee9a5bb33810a86b4a76bdb624d2ceea1c

SHA256
f1ee3b7fbbda0b5ca756d674575d6325e8c958270bf117e083acdc88fc429fa8

SHA512
0986915f0f09d273b91aac5091c05bf67e6eea7648659ef4becea14e8ce7382bfc79605fa4f0d9b7f33996eb8f4692f0d3004d5ffc93ce99dbe4d6566dff0120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe

Filesize
112KB

MD5
6a306ce9aeab69e8639da3317af58ca6

SHA1
7c9fd095881b820627e2fdb13e207ea547efeb43

SHA256
3922aaa8ad3bc0b6a0d03ecb156b475c55c40788c802de521099b7f5f319881f

SHA512
5b4115f84d8694e163fd298b944a9ddc1013707a19e2d45740f97ea7b0d0d2aa7c7472f8ffacc08703496643a538d898562e87cf03ae104734907d3462ff3fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internet Velox.exe.log

Filesize
1KB

MD5
3ee8846d54804cb98306c4dda12526cc

SHA1
454ca4ed806901ffaa9e10dc1d5725f209264ad3

SHA256
fde2a9de3f5b6f02ca33e1d52d0214e139e487957399e593ebd8740bc89b1583

SHA512
231e26f06555000e13cb1f0abfdf77e1dccb6dfa1e807ac209770017c18f8691189a38e8a43356b38abd036ae1e1ddd23c720f82f4ac4e425ac38b6d8d546c2b

Download Submit
\Users\Admin\AppData\Local\Temp\Internet Velox.exe

Filesize
112KB

MD5
6a306ce9aeab69e8639da3317af58ca6

SHA1
7c9fd095881b820627e2fdb13e207ea547efeb43

SHA256
3922aaa8ad3bc0b6a0d03ecb156b475c55c40788c802de521099b7f5f319881f

SHA512
5b4115f84d8694e163fd298b944a9ddc1013707a19e2d45740f97ea7b0d0d2aa7c7472f8ffacc08703496643a538d898562e87cf03ae104734907d3462ff3fbd

Download Submit
\Users\Admin\AppData\Local\Temp\Internet Velox.exe

Filesize
112KB

MD5
6a306ce9aeab69e8639da3317af58ca6

SHA1
7c9fd095881b820627e2fdb13e207ea547efeb43

SHA256
3922aaa8ad3bc0b6a0d03ecb156b475c55c40788c802de521099b7f5f319881f

SHA512
5b4115f84d8694e163fd298b944a9ddc1013707a19e2d45740f97ea7b0d0d2aa7c7472f8ffacc08703496643a538d898562e87cf03ae104734907d3462ff3fbd

Download Submit
\Users\Admin\AppData\Local\Temp\Internet Velox.exe

Filesize
112KB

MD5
6a306ce9aeab69e8639da3317af58ca6

SHA1
7c9fd095881b820627e2fdb13e207ea547efeb43

SHA256
3922aaa8ad3bc0b6a0d03ecb156b475c55c40788c802de521099b7f5f319881f

SHA512
5b4115f84d8694e163fd298b944a9ddc1013707a19e2d45740f97ea7b0d0d2aa7c7472f8ffacc08703496643a538d898562e87cf03ae104734907d3462ff3fbd

Download Submit
\Users\Admin\AppData\Local\Temp\Internet Velox.exe

Filesize
112KB

MD5
6a306ce9aeab69e8639da3317af58ca6

SHA1
7c9fd095881b820627e2fdb13e207ea547efeb43

SHA256
3922aaa8ad3bc0b6a0d03ecb156b475c55c40788c802de521099b7f5f319881f

SHA512
5b4115f84d8694e163fd298b944a9ddc1013707a19e2d45740f97ea7b0d0d2aa7c7472f8ffacc08703496643a538d898562e87cf03ae104734907d3462ff3fbd

Download Submit
\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
33KB

MD5
0384279c006309e9fbd6954daeca38c9

SHA1
94c913c2a2342c329abf74f9277b5e8f2ba841e1

SHA256
0f6cd1819eece1e4dadae8756042a551613573c91093403721cac52b829d7ccf

SHA512
8ad8b849bd61f956f732be7c944db927d3dea28778dac14346890bd4ba8bf3f37598151544d75906e1494202be68b661b6521648485b0d02120fa1bd46a81b05

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/520-75-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/636-67-0x0000000000000000-mapping.dmp

Download
memory/636-77-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/636-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/636-74-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/780-56-0x0000000000000000-mapping.dmp

Download
memory/1308-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1308-55-0x0000000000400000-0x000000000074697F-memory.dmp

Filesize
3.3MB

Download
memory/1308-69-0x0000000000400000-0x000000000074697F-memory.dmp

Filesize
3.3MB

Download