modiloader | ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b

General

Target

ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe
Size

1.0MB
MD5

a78b2948e43a73a409dc15c09eaebaeb
SHA1

2c5609fef93f10e3f30fc3453e6f7c680778699a
SHA256

ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b
SHA512

22a1be03dab0b6e866c48bc91866ce66ba269a50bf6e0d44f4925fc9152db763781f759968a8648d9e764f91d3e205dc58654684ab05b549c7d9a228b6782554
SSDEEP

24576:E8/BzEyAlqTf2yn6sJvC7RR1EmXXTQUlTRWc+:Ew6gw7RfTdlTRWc+

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1132-55-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/1132-56-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe	modiloader_stage2
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe	modiloader_stage2
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe	modiloader_stage2
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	modiloader_stage2
behavioral1/memory/1132-63-0x0000000002EE0000-0x0000000002FEB000-memory.dmp	modiloader_stage2
behavioral1/memory/684-65-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/1268-68-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/684-70-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/1132-72-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

rejoice101.exe

pid process

684 rejoice101.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

892 cmd.exe

pid	process
684	rejoice101.exe

pid	process
892	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe

pid	process
1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe
1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice101.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rejoice101.exe

description	pid	process	target process
PID 684 set thread context of 1268	684	rejoice101.exe	calc.exe
PID 684 set thread context of 900	684	rejoice101.exe	IEXPLORE.EXE

Drops file in Program Files directory 3 IoCs

Processes:

ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6ECCB1D1-732B-11ED-882A-F263091D6DCE} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376851577"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

900 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

900 IEXPLORE.EXE
900 IEXPLORE.EXE
1008 IEXPLORE.EXE
1008 IEXPLORE.EXE
1008 IEXPLORE.EXE
1008 IEXPLORE.EXE

pid	process
900	IEXPLORE.EXE

pid	process
900	IEXPLORE.EXE
900	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exerejoice101.exeIEXPLORE.EXE

description	pid	process	target process
PID 1132 wrote to memory of 684	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	rejoice101.exe
PID 1132 wrote to memory of 684	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	rejoice101.exe
PID 1132 wrote to memory of 684	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	rejoice101.exe
PID 1132 wrote to memory of 684	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	rejoice101.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 1268	684	rejoice101.exe	calc.exe
PID 684 wrote to memory of 900	684	rejoice101.exe	IEXPLORE.EXE
PID 684 wrote to memory of 900	684	rejoice101.exe	IEXPLORE.EXE
PID 684 wrote to memory of 900	684	rejoice101.exe	IEXPLORE.EXE
PID 684 wrote to memory of 900	684	rejoice101.exe	IEXPLORE.EXE
PID 684 wrote to memory of 900	684	rejoice101.exe	IEXPLORE.EXE
PID 1132 wrote to memory of 892	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	cmd.exe
PID 1132 wrote to memory of 892	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	cmd.exe
PID 1132 wrote to memory of 892	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	cmd.exe
PID 1132 wrote to memory of 892	1132	ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe	cmd.exe
PID 900 wrote to memory of 1008	900	IEXPLORE.EXE	IEXPLORE.EXE
PID 900 wrote to memory of 1008	900	IEXPLORE.EXE	IEXPLORE.EXE
PID 900 wrote to memory of 1008	900	IEXPLORE.EXE	IEXPLORE.EXE
PID 900 wrote to memory of 1008	900	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe
"C:\Users\Admin\AppData\Local\Temp\ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1268

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
2⤵
- Deletes itself
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat
Filesize
248B

MD5
d423762fe0dff253e426333316352809

SHA1
df615922746f423f0e753cc9e3fa6b9403ee5f28

SHA256
230f14a6c3a80a3354ccc8394b592eec3cfe11b7ad7536121596997b003eedae

SHA512
0c5988a326f79ea712f73a334ae0c71b12ca838d4b6a69ed40e52cbe02d6cd4263296422bff7d772c7ea43edcaed5e662ae3dea72a03389ef2fdd0f0f1c38022

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
Filesize
1.0MB

MD5
a78b2948e43a73a409dc15c09eaebaeb

SHA1
2c5609fef93f10e3f30fc3453e6f7c680778699a

SHA256
ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b

SHA512
22a1be03dab0b6e866c48bc91866ce66ba269a50bf6e0d44f4925fc9152db763781f759968a8648d9e764f91d3e205dc58654684ab05b549c7d9a228b6782554

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe
Filesize
1.0MB

MD5
a78b2948e43a73a409dc15c09eaebaeb

SHA1
2c5609fef93f10e3f30fc3453e6f7c680778699a

SHA256
ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b

SHA512
22a1be03dab0b6e866c48bc91866ce66ba269a50bf6e0d44f4925fc9152db763781f759968a8648d9e764f91d3e205dc58654684ab05b549c7d9a228b6782554

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YTHL684W.txt
Filesize
539B

MD5
4f50f6143ac1404e566be731598aec5f

SHA1
86afe76578f73cc57405bc560d622b89b2877378

SHA256
b64f8e5f1b963cbffb7e50d5e90ca0080c6316c614e63020ee8af59d94851ba9

SHA512
cf5dd479f2639dd2ea7f4595d3f7230a2b904069b3f6234087a82640bae70f3a745bbebdc8e5e2d7417d4eaf52babddd7b606a1ae836b193b33597d2c83912d9

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe
Filesize
1.0MB

MD5
a78b2948e43a73a409dc15c09eaebaeb

SHA1
2c5609fef93f10e3f30fc3453e6f7c680778699a

SHA256
ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b

SHA512
22a1be03dab0b6e866c48bc91866ce66ba269a50bf6e0d44f4925fc9152db763781f759968a8648d9e764f91d3e205dc58654684ab05b549c7d9a228b6782554

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe
Filesize
1.0MB

MD5
a78b2948e43a73a409dc15c09eaebaeb

SHA1
2c5609fef93f10e3f30fc3453e6f7c680778699a

SHA256
ecb76617a8aa609ae9eb42e50b516145fa061645fbc9700ab294c75cf303357b

SHA512
22a1be03dab0b6e866c48bc91866ce66ba269a50bf6e0d44f4925fc9152db763781f759968a8648d9e764f91d3e205dc58654684ab05b549c7d9a228b6782554

Download Submit
memory/684-65-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/684-59-0x0000000000000000-mapping.dmp

Download
memory/684-70-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/892-71-0x0000000000000000-mapping.dmp

Download
memory/1132-63-0x0000000002EE0000-0x0000000002FEB000-memory.dmp

Filesize
1.0MB

Download
memory/1132-64-0x0000000002EE0000-0x0000000002FEB000-memory.dmp

Filesize
1.0MB

Download
memory/1132-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1132-72-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/1132-56-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/1132-55-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/1268-68-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1268-69-0x000000000049E54C-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads