modiloader | 8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec

General

Target

8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Size

600KB
MD5

8db7b858c7e2581239fd55d3b17ea6b6
SHA1

2fed1b2cd7cd7520690ccc18af3dea90e98c0c52
SHA256

8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec
SHA512

c53e65afc44a26b3d96bafad41bb0b2417633dae969ca10f343a3a1ee7796245f8734e120d8d0d91c5910e90ff1d76640ba253b060be74289de1f8c0839da274
SSDEEP

12288:ze7gTNWbEXggkOJIFLhkp8RRyxtaTdfBgNDSpjHNEP:ze7gtqO+hkp8RRA8QdgH

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Odin.exe

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2216-146-0x0000000000400000-0x000000000045B000-memory.dmp	modiloader_stage2
behavioral2/memory/1292-153-0x0000000000400000-0x000000000045B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2216	Odin.exe
1292	Odin.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022dff-139.dat	upx
behavioral2/files/0x0001000000022dff-140.dat	upx
behavioral2/files/0x0001000000022e03-143.dat	upx
behavioral2/files/0x0001000000022e03-144.dat	upx
behavioral2/memory/1292-145-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2216-146-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1292-153-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Odin.exe

Loads dropped DLL 4 IoCs

pid	Process
1292	Odin.exe
1292	Odin.exe
1292	Odin.exe
1292	Odin.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Odin = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Odin.exe"	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Odin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Odin.exe = "C:\\Windows\\Odin.exe"	Odin.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Odin = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Odin.exe"	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Odin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Odin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Odin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Odin.exe	Odin.exe
File opened for modification	C:\Windows\Odin.exe	Odin.exe
File created	C:\Windows\ntdtcstp.dll	Odin.exe
File created	C:\Windows\cmsetac.dll	Odin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
Token: SeDebugPrivilege	2216	Odin.exe
Token: SeDebugPrivilege	1292	Odin.exe
Token: SeDebugPrivilege	1292	Odin.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2372	vbc.exe
2372	vbc.exe
1292	Odin.exe
1292	Odin.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2372	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	81
PID 1688 wrote to memory of 2216	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	82
PID 1688 wrote to memory of 2216	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	82
PID 1688 wrote to memory of 2216	1688	8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe	82
PID 2216 wrote to memory of 1292	2216	Odin.exe	83
PID 2216 wrote to memory of 1292	2216	Odin.exe	83
PID 2216 wrote to memory of 1292	2216	Odin.exe	83

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Odin.exe

C:\Users\Admin\AppData\Local\Temp\8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe
"C:\Users\Admin\AppData\Local\Temp\8a12036cbaf518ed43242bbab14352564b092d122a13526ac66646a818b815ec.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\Odin.exe
  "C:\Users\Admin\AppData\Local\Temp\Odin.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Odin.exe
    "C:\Windows\Odin.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Odin.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Odin.exe

Filesize
132KB

MD5
870bc9180b9a9d7e7f096eff5529a265

SHA1
9b7e7881133cb9fd807983b882f0f199835eeda6

SHA256
15e71c16877ffabb280c7f9bbe27be97d54f90f43b6e8140ad697db5784133fa

SHA512
557e683d911c9408659b597a03386e282054c1fae3ce66114c448209b1c6a34d1a6cde00df52a51d20c6cee1f1505b0450777c66ad05aa0897fd1a0d92c1c67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Odin.exe

Filesize
132KB

MD5
870bc9180b9a9d7e7f096eff5529a265

SHA1
9b7e7881133cb9fd807983b882f0f199835eeda6

SHA256
15e71c16877ffabb280c7f9bbe27be97d54f90f43b6e8140ad697db5784133fa

SHA512
557e683d911c9408659b597a03386e282054c1fae3ce66114c448209b1c6a34d1a6cde00df52a51d20c6cee1f1505b0450777c66ad05aa0897fd1a0d92c1c67d

Download Submit
C:\Windows\Odin.exe

Filesize
132KB

MD5
870bc9180b9a9d7e7f096eff5529a265

SHA1
9b7e7881133cb9fd807983b882f0f199835eeda6

SHA256
15e71c16877ffabb280c7f9bbe27be97d54f90f43b6e8140ad697db5784133fa

SHA512
557e683d911c9408659b597a03386e282054c1fae3ce66114c448209b1c6a34d1a6cde00df52a51d20c6cee1f1505b0450777c66ad05aa0897fd1a0d92c1c67d

Download Submit
C:\Windows\Odin.exe

Filesize
132KB

MD5
870bc9180b9a9d7e7f096eff5529a265

SHA1
9b7e7881133cb9fd807983b882f0f199835eeda6

SHA256
15e71c16877ffabb280c7f9bbe27be97d54f90f43b6e8140ad697db5784133fa

SHA512
557e683d911c9408659b597a03386e282054c1fae3ce66114c448209b1c6a34d1a6cde00df52a51d20c6cee1f1505b0450777c66ad05aa0897fd1a0d92c1c67d

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
2cf350c3426c3087992b0f1a0d9071e5

SHA1
71e3c20a3eea04398449c3c839852beb222ef7d8

SHA256
4f446ecdea16298c35583e2f71ccd68ccb7f862f545c8d7410c70fe56a4f8fb7

SHA512
71381277280df86796873b6cb0b3b69c7e7aff4a124249979a4619443102937925f237c603ec527726027921f4439479cc328ed0a44e041d1ae7bd48b0ab92b0

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
2cf350c3426c3087992b0f1a0d9071e5

SHA1
71e3c20a3eea04398449c3c839852beb222ef7d8

SHA256
4f446ecdea16298c35583e2f71ccd68ccb7f862f545c8d7410c70fe56a4f8fb7

SHA512
71381277280df86796873b6cb0b3b69c7e7aff4a124249979a4619443102937925f237c603ec527726027921f4439479cc328ed0a44e041d1ae7bd48b0ab92b0

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1292-151-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/1292-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1292-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1688-141-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-132-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2372-136-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2372-134-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2372-135-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2372-152-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2372-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads