modiloader | 8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab

General

Target

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
Size

152KB
MD5

6a84ec274e8595f449d95f02e0fdb273
SHA1

1a1c5a0ddda2e647f001abe03c6e39c68a722f06
SHA256

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab
SHA512

a9ed4eb75a4e9996b538dc9527f75b0964318c513f43b6763bb1904263c26efb59a18712731d8138b9fa09c9380f84715db8c54acbc3748b8f71e1e2cc8a77f2
SSDEEP

3072:Q8tzAqPq2m2GHL84cjsgXD8cwgOcBFEiawf9EiBNrmB+0b0vCp42FwQYnqZPSAaZ:Q5Gom3O1XYqNMQ

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

MicrosoftRarArc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe,C:\\Windows\\MicrosoftRarArc.exe"	MicrosoftRarArc.exe

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/588-65-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2
behavioral1/memory/588-66-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2
behavioral1/memory/588-68-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2
behavioral1/memory/292-80-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2
behavioral1/memory/292-81-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2
behavioral1/memory/292-82-0x0000000030000000-0x0000000030035000-memory.dmp	modiloader_stage2

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/588-57-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-59-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-60-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-62-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-64-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-65-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-66-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/588-68-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/292-79-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/292-80-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/292-81-0x0000000030000000-0x0000000030035000-memory.dmp	upx
behavioral1/memory/292-82-0x0000000030000000-0x0000000030035000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftRarArc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	MicrosoftRarArc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftRarArc = "C:\\Windows\\MicrosoftRarArc.exe"	MicrosoftRarArc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exeMicrosoftRarArc.exe

description	pid	process	target process
PID 520 set thread context of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 572 set thread context of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe

pid process

588 8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MicrosoftRarArc.exe

pid process

292 MicrosoftRarArc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exeMicrosoftRarArc.exeMicrosoftRarArc.exe

pid process

520 8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
572 MicrosoftRarArc.exe
292 MicrosoftRarArc.exe

pid	process
588	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe

pid	process
292	MicrosoftRarArc.exe

pid	process
520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
572	MicrosoftRarArc.exe
292	MicrosoftRarArc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exeMicrosoftRarArc.exeMicrosoftRarArc.exe

description	pid	process	target process
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 520 wrote to memory of 588	520	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
PID 588 wrote to memory of 572	588	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	MicrosoftRarArc.exe
PID 588 wrote to memory of 572	588	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	MicrosoftRarArc.exe
PID 588 wrote to memory of 572	588	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	MicrosoftRarArc.exe
PID 588 wrote to memory of 572	588	8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 572 wrote to memory of 292	572	MicrosoftRarArc.exe	MicrosoftRarArc.exe
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE
PID 292 wrote to memory of 1372	292	MicrosoftRarArc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
"C:\Users\Admin\AppData\Local\Temp\8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
C:\Users\Admin\AppData\Local\Temp\8b98cf043c6e4bca4d3bb3d29bf69e4ecf6ae65ea8fdb96743015a7169a9e3ab.exe
3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\MicrosoftRarArc.exe
-bs
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\MicrosoftRarArc.exe
C:\Windows\MicrosoftRarArc.exe
5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-82-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/292-81-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/292-80-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/292-79-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/292-76-0x00000000300332F0-mapping.dmp

Download
memory/572-67-0x0000000000000000-mapping.dmp

Download
memory/588-61-0x00000000300332F0-mapping.dmp

Download
memory/588-64-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-65-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-66-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-63-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/588-68-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-62-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-56-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-60-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-59-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download
memory/588-57-0x0000000030000000-0x0000000030035000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads