modiloader | 1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1

General

Target

1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
Size

796KB
MD5

cc1f35abf0ac45512c14e9e5e9d89d88
SHA1

37f75a3c110580bc12f49b79866bf59215b71682
SHA256

1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1
SHA512

35b498bc14a0d6fdeccf6efae8cbb6c2ca097ada6108d68b166e1be1148ab33c94db50ccacbc7f52f093f1eba2900cea461385da10d820856703ecb6cbf31e34
SSDEEP

12288:khkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a90+9paqledIne/Ny:8RmJkcoQricOIQxiZY1ia90Nef

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1868-136-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2
behavioral2/memory/1868-137-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2
behavioral2/memory/1868-141-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2
behavioral2/memory/4904-147-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2
behavioral2/memory/4904-148-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2
behavioral2/memory/4904-149-0x0000000000400000-0x0000000000420000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4444 svchost.exe
4904 svchost.exe

pid	process
4444	svchost.exe
4904	svchost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1868-133-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1868-135-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1868-136-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1868-137-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1868-141-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4904-146-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4904-147-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4904-148-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4904-149-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows live = "C:\\Users\\Admin\\Documents\\Windows\\svchost.exe"	svchost.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Windows\svchost.exe	autoit_exe
C:\Users\Admin\Documents\Windows\svchost.exe	autoit_exe
C:\Users\Admin\Documents\Windows\svchost.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exesvchost.exe

description	pid	process	target process
PID 4512 set thread context of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 4444 set thread context of 4904	4444	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exesvchost.exe

description	pid	process	target process
PID 4512 wrote to memory of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 4512 wrote to memory of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 4512 wrote to memory of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 4512 wrote to memory of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 4512 wrote to memory of 1868	4512	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
PID 1868 wrote to memory of 4444	1868	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	svchost.exe
PID 1868 wrote to memory of 4444	1868	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	svchost.exe
PID 1868 wrote to memory of 4444	1868	1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe	svchost.exe
PID 4444 wrote to memory of 4904	4444	svchost.exe	svchost.exe
PID 4444 wrote to memory of 4904	4444	svchost.exe	svchost.exe
PID 4444 wrote to memory of 4904	4444	svchost.exe	svchost.exe
PID 4444 wrote to memory of 4904	4444	svchost.exe	svchost.exe
PID 4444 wrote to memory of 4904	4444	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
"C:\Users\Admin\AppData\Local\Temp\1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe
  "C:\Users\Admin\AppData\Local\Temp\1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\Documents\Windows\svchost.exe
    "C:\Users\Admin\Documents\Windows\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\Documents\Windows\svchost.exe
      "C:\Users\Admin\Documents\Windows\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Windows\svchost.exe

Filesize
796KB

MD5
cc1f35abf0ac45512c14e9e5e9d89d88

SHA1
37f75a3c110580bc12f49b79866bf59215b71682

SHA256
1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1

SHA512
35b498bc14a0d6fdeccf6efae8cbb6c2ca097ada6108d68b166e1be1148ab33c94db50ccacbc7f52f093f1eba2900cea461385da10d820856703ecb6cbf31e34

Download Submit
C:\Users\Admin\Documents\Windows\svchost.exe

Filesize
796KB

MD5
cc1f35abf0ac45512c14e9e5e9d89d88

SHA1
37f75a3c110580bc12f49b79866bf59215b71682

SHA256
1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1

SHA512
35b498bc14a0d6fdeccf6efae8cbb6c2ca097ada6108d68b166e1be1148ab33c94db50ccacbc7f52f093f1eba2900cea461385da10d820856703ecb6cbf31e34

Download Submit
C:\Users\Admin\Documents\Windows\svchost.exe

Filesize
796KB

MD5
cc1f35abf0ac45512c14e9e5e9d89d88

SHA1
37f75a3c110580bc12f49b79866bf59215b71682

SHA256
1c569d8d5c81aa78f132a3f26430c35a166a16c11d8d3347f5d67a7dccdf90b1

SHA512
35b498bc14a0d6fdeccf6efae8cbb6c2ca097ada6108d68b166e1be1148ab33c94db50ccacbc7f52f093f1eba2900cea461385da10d820856703ecb6cbf31e34

Download Submit
memory/1868-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-132-0x0000000000000000-mapping.dmp

Download
memory/1868-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4444-138-0x0000000000000000-mapping.dmp

Download
memory/4904-142-0x0000000000000000-mapping.dmp

Download
memory/4904-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads