modiloader | a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9

General

Target

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
Size

2.2MB
MD5

999ca9f1b7db4bb516d72b01d1ea5efc
SHA1

bbefa0fda0c1e02088bbb06ab6a06dd98f17b66e
SHA256

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9
SHA512

67576060a7dc59ea5393132dec42dc9f8cf74d760c16a873ad999fdb48638d66cfd979304554c427cca3773f6f92ba5a0ea75b0c7033c320f3c6a0c221e52bfb
SSDEEP

49152:HxfEY2wEW3m8j8k8ddADgLhFMY4bXNMWHZNV9EkFZ3fwZzL:HV2BW28jneFMY4bXpNAu30X

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1928 server.exe

pid	process
1928	server.exe

Loads dropped DLL 6 IoCs

Processes:

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exeWerFault.exe

pid	process
1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1700 1928 WerFault.exe server.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe

pid process

1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

688 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe

pid process

1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe

pid	pid_target	process	target process
1700	1928	WerFault.exe	server.exe

pid	process
688	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exeserver.exe

description	pid	process	target process
PID 1756 wrote to memory of 1928	1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe	server.exe
PID 1756 wrote to memory of 1928	1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe	server.exe
PID 1756 wrote to memory of 1928	1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe	server.exe
PID 1756 wrote to memory of 1928	1756	a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe	server.exe
PID 1928 wrote to memory of 1700	1928	server.exe	WerFault.exe
PID 1928 wrote to memory of 1700	1928	server.exe	WerFault.exe
PID 1928 wrote to memory of 1700	1928	server.exe	WerFault.exe
PID 1928 wrote to memory of 1700	1928	server.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
"C:\Users\Admin\AppData\Local\Temp\a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 88
3⤵
- Loads dropped DLL
- Program crash
PID:1700

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RS.JPG
Filesize
415KB

MD5
e197a74788bec3a0adf3d314d6c0a1a1

SHA1
36a340f134ae242a5adde536e88d75f4b4baa793

SHA256
81a13bbd3dbb44b416ae7b6dd1231a8f3e24df64a55ccccd2734e83e35e20ae6

SHA512
06761133b9593668d834511d80d3e3cd65c1af3c015024a57ce79e95e37ebb2c17d780ddf7c39fec255ee3a2b99e389cb2e80c8f081a53a360f6f9782888c6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
29KB

MD5
a7ba2da473489d55b415d180cc171118

SHA1
9d62317f11f54f7d04fc0e1e1ea9a6584800c8a8

SHA256
addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd

SHA512
b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241

Download Submit
memory/1700-62-0x0000000000000000-mapping.dmp

Download
memory/1756-56-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1756-57-0x0000000004730000-0x0000000004733000-memory.dmp

Filesize
12KB

Download
memory/1928-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads