modiloader | 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250

General

Target

9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
Size

631KB
MD5

3784baf66addb63f047c26c39b40a34e
SHA1

7d7bff16796dad8052bd62c1fda5b4869d2dd279
SHA256

9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250
SHA512

b2865afc1a370fcc98fddab60f7af13d7e64263a53da19460417ec84d59fa6a77212c74e6c67ffe9a14f7643a6a06251b8e302be0ed0157cb28c37c01de64930
SSDEEP

12288:IzT2da7QDms9cKcTUy/xQZZZHCE+gffVUlj0OtlLwu6oGjc4ysHJUB3WnG1x03L:ILs9NO7/xWZHjzfVUljrbwu6oQcaHJUq

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1896-141-0x0000000000400000-0x00000000005BD000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1896	updata.exe
4760	dogread.exe
4960	hl-dump.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dogread.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\FieleWay.txt	updata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1896	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	80
PID 2480 wrote to memory of 1896	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	80
PID 2480 wrote to memory of 1896	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	80
PID 2480 wrote to memory of 4760	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	81
PID 2480 wrote to memory of 4760	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	81
PID 2480 wrote to memory of 4760	2480	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	81
PID 1896 wrote to memory of 3872	1896	updata.exe	82
PID 1896 wrote to memory of 3872	1896	updata.exe	82
PID 1896 wrote to memory of 3872	1896	updata.exe	82
PID 4760 wrote to memory of 4868	4760	dogread.exe	83
PID 4760 wrote to memory of 4868	4760	dogread.exe	83
PID 4760 wrote to memory of 4868	4760	dogread.exe	83
PID 4868 wrote to memory of 4960	4868	cmd.exe	85
PID 4868 wrote to memory of 4960	4868	cmd.exe	85
PID 4868 wrote to memory of 4960	4868	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
"C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\updata.exe
  "C:\Users\Admin\AppData\Local\Temp\updata.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    3⤵
    PID:3872
- C:\Users\Admin\AppData\Local\Temp\dogread.exe
  "C:\Users\Admin\AppData\Local\Temp\dogread.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\pmrt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - \??\c:\hl-dump.exe
      HL-DUMP.EXE /DUMP 0x1A5
      4⤵
      Executes dropped EXE
      PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
C:\hl-dump.exe

Filesize
48KB

MD5
2dfd1a748cef1517e800f7ae47468e5e

SHA1
c405de71e09a9bdb8227350c6d08f15cd57699a7

SHA256
edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294

SHA512
0cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39

Download Submit
C:\pmrt.bat

Filesize
27B

MD5
31ae2e45e85e14364ded10ba72d7b890

SHA1
22185e0a4efb576acd354214a6d5f20148df728a

SHA256
4d286da7d903b751bf2c1b8cb5ea27e41d3f4fadc28a18b02a24449e7b70f008

SHA512
86a75c0b7eec3f94f0a569c6d7e25a9c5ed0292c40acca85f866d9192cd2699c53b671cc4c36456be7f26ff78e865be1150545515aef6d4d4645ddc9eee60dc9

Download Submit
\??\c:\hl-dump.exe

Filesize
48KB

MD5
2dfd1a748cef1517e800f7ae47468e5e

SHA1
c405de71e09a9bdb8227350c6d08f15cd57699a7

SHA256
edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294

SHA512
0cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39

Download Submit
memory/1896-141-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2480-132-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2480-139-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing