modiloader | eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5

General

Target

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Size

836KB
MD5

40bb425dbec19f1ef5f7b61b35a82267
SHA1

5e14bdba8cf01d123f2a711d3e8a595837eb69db
SHA256

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5
SHA512

9219892ca4298ad19ce285e73f3af6b756e429e98b315d0f51de093db821e041f46adc8adcbc65ecee326abddff7c7a2db8069780e0019f13a2c3bae7912ee34
SSDEEP

12288:i/WNzAAmk+aiptW5v9edN1gFAbdYeqO+sMraahnk:i/WhLB+qI+vLraUn

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-65-0x0000000000402000-0x0000000000403000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-78-0x0000000000400000-0x0000000000503000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

bio 1.5.exewmplayer.exe

pid process

1504 bio 1.5.exe
1008 wmplayer.exe

pid	process
1504	bio 1.5.exe
1008	wmplayer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

Loads dropped DLL 4 IoCs

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

pid	process
2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bio 1.5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bio 1.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "c:\\windows\\system\\Update.exe"	bio 1.5.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	bio 1.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "c:\\windows\\system\\Update.exe"	bio 1.5.exe

Drops file in System32 directory 2 IoCs

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exebio 1.5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\bio 1.5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	bio 1.5.exe

Drops file in Windows directory 2 IoCs

Processes:

bio 1.5.exe

description ioc process

File opened for modification \??\c:\windows\system\Update.exe bio 1.5.exe
File created \??\c:\windows\system\Update.exe bio 1.5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\system\Update.exe	bio 1.5.exe
File created	\??\c:\windows\system\Update.exe	bio 1.5.exe

Modifies registry class 16 IoCs

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version\ = "1.0"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID\ = "PLA.TraceDataProvider"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\ThreadingModel = "both"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID\ = "PLA.TraceDataProvider.1"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\AppID = "{03837503-098b-11d8-9414-505054503030}"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ = "TraceDataProvider"	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

description	pid	process
Token: 33	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Token: SeIncBasePriorityPrivilege	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Token: 33	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Token: SeIncBasePriorityPrivilege	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bio 1.5.exe

pid process

1504 bio 1.5.exe

pid	process
1504	bio 1.5.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exeeeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exewmplayer.exe

description	pid	process	target process
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 1292 wrote to memory of 2036	1292	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
PID 2036 wrote to memory of 1504	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	bio 1.5.exe
PID 2036 wrote to memory of 1504	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	bio 1.5.exe
PID 2036 wrote to memory of 1504	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	bio 1.5.exe
PID 2036 wrote to memory of 1504	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	bio 1.5.exe
PID 2036 wrote to memory of 1008	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	wmplayer.exe
PID 2036 wrote to memory of 1008	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	wmplayer.exe
PID 2036 wrote to memory of 1008	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	wmplayer.exe
PID 2036 wrote to memory of 1008	2036	eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe	wmplayer.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe
PID 1008 wrote to memory of 364	1008	wmplayer.exe	setup_wm.exe

C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
"C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
"C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\bio 1.5.exe
"C:\Windows\System32\bio 1.5.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Users\Admin\Desktop\wmplayer.exe
"C:\Users\Admin\Desktop\wmplayer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Users\Admin\Desktop\wmplayer.exe"
4⤵
PID:364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\wmplayer.exe
Filesize
165KB

MD5
be70ddf93f5e8ca9da13cbc6f849808c

SHA1
1a814be53ecc686bdaeecf0e196c7ce8bece59b1

SHA256
194848d31a217a1115ba7211228c30750ea22a280d8c3ec285e91590b6f6e8ff

SHA512
6063e5ab4c38aeda0149e3525302cff1eccee852becaf1c1ef726a21a86cc3f93d4dfff69a4f66f78fb15419916d78109db6c567480810b59ff2dcd79ece5af7

Download Submit
C:\Windows\SysWOW64\bio 1.5.exe
Filesize
220KB

MD5
7527996f8b993998f82c44d886d1d2d9

SHA1
7edc3c99e1c3885fc7196b3da8a37921d3ee7087

SHA256
9bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab

SHA512
6269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24

Download Submit
C:\Windows\SysWOW64\bio 1.5.exe
Filesize
220KB

MD5
7527996f8b993998f82c44d886d1d2d9

SHA1
7edc3c99e1c3885fc7196b3da8a37921d3ee7087

SHA256
9bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab

SHA512
6269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24

Download Submit
\Users\Admin\Desktop\wmplayer.exe
Filesize
165KB

MD5
be70ddf93f5e8ca9da13cbc6f849808c

SHA1
1a814be53ecc686bdaeecf0e196c7ce8bece59b1

SHA256
194848d31a217a1115ba7211228c30750ea22a280d8c3ec285e91590b6f6e8ff

SHA512
6063e5ab4c38aeda0149e3525302cff1eccee852becaf1c1ef726a21a86cc3f93d4dfff69a4f66f78fb15419916d78109db6c567480810b59ff2dcd79ece5af7

Download Submit
\Users\Admin\Desktop\wmplayer.exe
Filesize
165KB

MD5
be70ddf93f5e8ca9da13cbc6f849808c

SHA1
1a814be53ecc686bdaeecf0e196c7ce8bece59b1

SHA256
194848d31a217a1115ba7211228c30750ea22a280d8c3ec285e91590b6f6e8ff

SHA512
6063e5ab4c38aeda0149e3525302cff1eccee852becaf1c1ef726a21a86cc3f93d4dfff69a4f66f78fb15419916d78109db6c567480810b59ff2dcd79ece5af7

Download Submit
\Windows\SysWOW64\bio 1.5.exe
Filesize
220KB

MD5
7527996f8b993998f82c44d886d1d2d9

SHA1
7edc3c99e1c3885fc7196b3da8a37921d3ee7087

SHA256
9bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab

SHA512
6269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24

Download Submit
\Windows\SysWOW64\bio 1.5.exe
Filesize
220KB

MD5
7527996f8b993998f82c44d886d1d2d9

SHA1
7edc3c99e1c3885fc7196b3da8a37921d3ee7087

SHA256
9bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab

SHA512
6269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24

Download Submit
memory/364-81-0x0000000000000000-mapping.dmp

Download
memory/1008-74-0x0000000000000000-mapping.dmp

Download
memory/1292-79-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1292-54-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1504-70-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2036-66-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2036-64-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2036-63-0x0000000001EE1000-0x0000000001F4E000-memory.dmp

Filesize
436KB

Download
memory/2036-58-0x0000000001EE0000-0x0000000001F74000-memory.dmp

Filesize
592KB

Download
memory/2036-57-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/2036-67-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2036-78-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2036-56-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2036-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads