modiloader | ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244

General

Target

ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe
Size

2.6MB
MD5

3b7642e3ef34792b3b3fc9ad645cb859
SHA1

bf7071e79b4f88dc64c3c009463138cfd9e08efa
SHA256

ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244
SHA512

c070a482f5e52dfb0c3023cbde80ed13a818fc73b886abddeace65027c287843b649961388615c79fdb3078c36e69d882e66f5cdc04a155136106584508ffdee
SSDEEP

49152:fH67ac//////RTZsIFKISs0kI6hvBBirm0zPo2yx9si8D+hRaJC50u3NFwp:fH67ac//////3Ys0ohBl0jIsTDWRx5tg

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Sx_server.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\Sx_server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\Sx_server.exe	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

Sx_server.exe±ùÌì¼ÓËÙ1.43.exe

pid process

2024 Sx_server.exe
1984 ±ùÌì¼ÓËÙ1.43.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe

pid process

2016 cmd.exe
1144 cmd.exe
1144 cmd.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

±ùÌì¼ÓËÙ1.43.exe

description ioc process

File opened (read-only) \??\e: ±ùÌì¼ÓËÙ1.43.exe
Drops file in Program Files directory 1 IoCs

Processes:

Sx_server.exe

description ioc process

File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt Sx_server.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

±ùÌì¼ÓËÙ1.43.exe

pid process

1984 ±ùÌì¼ÓËÙ1.43.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

±ùÌì¼ÓËÙ1.43.exe

pid process

1984 ±ùÌì¼ÓËÙ1.43.exe
1984 ±ùÌì¼ÓËÙ1.43.exe
1984 ±ùÌì¼ÓËÙ1.43.exe
1984 ±ùÌì¼ÓËÙ1.43.exe

pid	process
2024	Sx_server.exe
1984	±ùÌì¼ÓËÙ1.43.exe

pid	process
2016	cmd.exe
1144	cmd.exe
1144	cmd.exe

description	ioc	process
File opened (read-only)	\??\e:	±ùÌì¼ÓËÙ1.43.exe

description	ioc	process
File created	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt	Sx_server.exe

pid	process
1984	±ùÌì¼ÓËÙ1.43.exe

pid	process
1984	±ùÌì¼ÓËÙ1.43.exe
1984	±ùÌì¼ÓËÙ1.43.exe
1984	±ùÌì¼ÓËÙ1.43.exe
1984	±ùÌì¼ÓËÙ1.43.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.execmd.execmd.exeSx_server.exe

description	pid	process	target process
PID 996 wrote to memory of 1144	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 1144	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 1144	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 1144	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 2016	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 2016	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 2016	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 996 wrote to memory of 2016	996	ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe	cmd.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	Sx_server.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	Sx_server.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	Sx_server.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	Sx_server.exe
PID 1144 wrote to memory of 1984	1144	cmd.exe	±ùÌì¼ÓËÙ1.43.exe
PID 1144 wrote to memory of 1984	1144	cmd.exe	±ùÌì¼ÓËÙ1.43.exe
PID 1144 wrote to memory of 1984	1144	cmd.exe	±ùÌì¼ÓËÙ1.43.exe
PID 1144 wrote to memory of 1984	1144	cmd.exe	±ùÌì¼ÓËÙ1.43.exe
PID 2024 wrote to memory of 580	2024	Sx_server.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 580	2024	Sx_server.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 580	2024	Sx_server.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 580	2024	Sx_server.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe
"C:\Users\Admin\AppData\Local\Temp\ad31048d42c4b63281d73f41d6befd5d782dec5f22ba0bbe649a1e1986694244.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
C:\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sx_server.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
4⤵
PID:580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
Filesize
678KB

MD5
abe51f872846286ab19d98048523c74b

SHA1
f32e206a28b07454a898caabba04ad5a90df3674

SHA256
3571b5479c6d7eeb4b2ae6e5a41a4bf7f9237029ef1e7a13bcd68f514fa93376

SHA512
97e55ed6dd7e859b6eef6a9b48dd4494adabcb9fe64c094cd57de5161ba96c90068d1a5c440ae3ed04cee88de4a94b9900de78d94f21a2fadb62deb078ee8f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
Filesize
678KB

MD5
abe51f872846286ab19d98048523c74b

SHA1
f32e206a28b07454a898caabba04ad5a90df3674

SHA256
3571b5479c6d7eeb4b2ae6e5a41a4bf7f9237029ef1e7a13bcd68f514fa93376

SHA512
97e55ed6dd7e859b6eef6a9b48dd4494adabcb9fe64c094cd57de5161ba96c90068d1a5c440ae3ed04cee88de4a94b9900de78d94f21a2fadb62deb078ee8f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
Filesize
1.5MB

MD5
a0f0a2390211ce1102eeb46f8e50133f

SHA1
5c861caa1b5c7122b0dd01fb952303cdd4c77483

SHA256
9ab1ae9797c0e3697fc0effb7ea72d44b5ff45a6833e900dc6c6b30a8aa3a3f4

SHA512
0c0b8997db623d59c33cb7f38a9cacaa87b11de3cf92132d843c37382848966095485d6a3d997640ab9c1527d8f22190d3166dd8edfdac770e6a8547cf47a232

Download Submit
C:\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
Filesize
1.5MB

MD5
a0f0a2390211ce1102eeb46f8e50133f

SHA1
5c861caa1b5c7122b0dd01fb952303cdd4c77483

SHA256
9ab1ae9797c0e3697fc0effb7ea72d44b5ff45a6833e900dc6c6b30a8aa3a3f4

SHA512
0c0b8997db623d59c33cb7f38a9cacaa87b11de3cf92132d843c37382848966095485d6a3d997640ab9c1527d8f22190d3166dd8edfdac770e6a8547cf47a232

Download Submit
\Users\Admin\AppData\Local\Temp\Sx_server.exe
Filesize
678KB

MD5
abe51f872846286ab19d98048523c74b

SHA1
f32e206a28b07454a898caabba04ad5a90df3674

SHA256
3571b5479c6d7eeb4b2ae6e5a41a4bf7f9237029ef1e7a13bcd68f514fa93376

SHA512
97e55ed6dd7e859b6eef6a9b48dd4494adabcb9fe64c094cd57de5161ba96c90068d1a5c440ae3ed04cee88de4a94b9900de78d94f21a2fadb62deb078ee8f14

Download Submit
\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
Filesize
1.5MB

MD5
a0f0a2390211ce1102eeb46f8e50133f

SHA1
5c861caa1b5c7122b0dd01fb952303cdd4c77483

SHA256
9ab1ae9797c0e3697fc0effb7ea72d44b5ff45a6833e900dc6c6b30a8aa3a3f4

SHA512
0c0b8997db623d59c33cb7f38a9cacaa87b11de3cf92132d843c37382848966095485d6a3d997640ab9c1527d8f22190d3166dd8edfdac770e6a8547cf47a232

Download Submit
\Users\Admin\AppData\Local\Temp\±ùÌì¼ÓËÙ1.43.exe
Filesize
1.5MB

MD5
a0f0a2390211ce1102eeb46f8e50133f

SHA1
5c861caa1b5c7122b0dd01fb952303cdd4c77483

SHA256
9ab1ae9797c0e3697fc0effb7ea72d44b5ff45a6833e900dc6c6b30a8aa3a3f4

SHA512
0c0b8997db623d59c33cb7f38a9cacaa87b11de3cf92132d843c37382848966095485d6a3d997640ab9c1527d8f22190d3166dd8edfdac770e6a8547cf47a232

Download Submit
memory/1144-67-0x0000000002030000-0x00000000024E4000-memory.dmp

Filesize
4.7MB

Download
memory/1144-54-0x0000000000000000-mapping.dmp

Download
memory/1144-68-0x0000000002030000-0x00000000024E4000-memory.dmp

Filesize
4.7MB

Download
memory/1984-64-0x0000000000000000-mapping.dmp

Download
memory/1984-69-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1984-70-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1984-71-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1984-72-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1984-73-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/2016-55-0x0000000000000000-mapping.dmp

Download
memory/2024-62-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing