modiloader | b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e

General

Target

b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe
Size

155KB
MD5

d3bb560701d2b6ca0440c22c6679567e
SHA1

d15f10faff11d1fbdc3bc2c6e114608ad1a177fd
SHA256

b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e
SHA512

b24da9cf07a263723f6ed7b3efab8129211de89b78e5b715add601f8dbffe57aebf45c54cd7c76a3b1127ee55334f082ba4652b4f86a0a40e7d13faf7f216bcd
SSDEEP

3072:FI3vzbT934wKn7Pbk+DFTz9rW8dUJXEtbiYHPy6Wq46kZg+uc3NCcoKB5jWoIEif:FsLbh34wK7o+DpJi8UObDtDHc3NCcnLE

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3732-136-0x0000000000400000-0x000000000045F208-memory.dmp	modiloader_stage2
behavioral2/memory/4232-137-0x0000000000400000-0x000000000045F208-memory.dmp	modiloader_stage2
behavioral2/memory/3732-142-0x0000000000400000-0x000000000045F208-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

netservice.exe

pid process

3732 netservice.exe

pid	process
3732	netservice.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3732-139-0x0000000010410000-0x0000000010465000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

netservice.exe

description pid process

Token: SeDebugPrivilege 3732 netservice.exe

description	pid	process
Token: SeDebugPrivilege	3732	netservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exenetservice.exe

description	pid	process	target process
PID 4232 wrote to memory of 3940	4232	b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe	cmd.exe
PID 4232 wrote to memory of 3940	4232	b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe	cmd.exe
PID 4232 wrote to memory of 3940	4232	b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe	cmd.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe
PID 3732 wrote to memory of 1628	3732	netservice.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe
"C:\Users\Admin\AppData\Local\Temp\b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e.exe"
2⤵
PID:3940

C:\Users\Admin\Favorites\netservice.exe
C:\Users\Admin\Favorites\netservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" about:blank
2⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\netservice.exe
Filesize
155KB

MD5
d3bb560701d2b6ca0440c22c6679567e

SHA1
d15f10faff11d1fbdc3bc2c6e114608ad1a177fd

SHA256
b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e

SHA512
b24da9cf07a263723f6ed7b3efab8129211de89b78e5b715add601f8dbffe57aebf45c54cd7c76a3b1127ee55334f082ba4652b4f86a0a40e7d13faf7f216bcd

Download Submit
C:\Users\Admin\Favorites\netservice.exe
Filesize
155KB

MD5
d3bb560701d2b6ca0440c22c6679567e

SHA1
d15f10faff11d1fbdc3bc2c6e114608ad1a177fd

SHA256
b6e042b0fa5559315c0500ad91d22e02ad9e1bbb86d277a4cdf934d6781f2b5e

SHA512
b24da9cf07a263723f6ed7b3efab8129211de89b78e5b715add601f8dbffe57aebf45c54cd7c76a3b1127ee55334f082ba4652b4f86a0a40e7d13faf7f216bcd

Download Submit
memory/3732-136-0x0000000000400000-0x000000000045F208-memory.dmp

Filesize
380KB

Download
memory/3732-139-0x0000000010410000-0x0000000010465000-memory.dmp

Filesize
340KB

Download
memory/3732-142-0x0000000000400000-0x000000000045F208-memory.dmp

Filesize
380KB

Download
memory/3940-135-0x0000000000000000-mapping.dmp

Download
memory/4232-132-0x0000000000400000-0x000000000045F208-memory.dmp

Filesize
380KB

Download
memory/4232-137-0x0000000000400000-0x000000000045F208-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads