modiloader | d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3

General

Target

d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
Size

650KB
MD5

8da7970c2d7fefa91dde87347f240486
SHA1

f279f1a8347f90aeaa2bc1c744b8a27fb28cdb25
SHA256

d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3
SHA512

5e91fca941877b257a0f32646505d877176036d3209f6c4d5f674afe8d98ef440b6161c0312382316665e2b62b46965c9cda4a7151d37db040d36ef143419683
SSDEEP

12288:V7Dbxv8LbH1nRQJ5WJVjDbykWZYJDDVcdnNwPl2kAQQLgpMjuNZMNyYZ:VLxEPVRQJgf/bONRNZQQcpZDMNBZ

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	modiloader_stage2
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	modiloader_stage2
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	modiloader_stage2
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe

pid process

1336 Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe

pid	process
1336	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe

Loads dropped DLL 2 IoCs

Processes:

d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe

pid	process
1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe

Drops file in Program Files directory 4 IoCs

Processes:

Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exeDllHost.exed7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Fiele Ps.txt	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
File opened for modification	C:\program files\common files\microsoft shared\msinfo\ÊÓÆµÇ¿ÖÆQQ.jpg	DllHost.exe
File created	C:\program files\common files\microsoft shared\msinfo\ÊÓÆµÇ¿ÖÆQQ.jpg	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
File created	C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.jpg	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1552 DllHost.exe

pid	process
1552	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exeË¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe

description	pid	process	target process
PID 1448 wrote to memory of 1336	1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
PID 1448 wrote to memory of 1336	1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
PID 1448 wrote to memory of 1336	1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
PID 1448 wrote to memory of 1336	1448	d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
PID 1336 wrote to memory of 1768	1336	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1768	1336	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1768	1336	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1768	1336	Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
"C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
"C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1336

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:1768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
Filesize
672KB

MD5
c70eb040086b3260956cc5fad3ed9a8d

SHA1
fca6484dd65e74e858bf5b3c2d49443264d0bd69

SHA256
1d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf

SHA512
b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc

Download Submit
C:\program files\common files\microsoft shared\msinfo\ÊÓÆµÇ¿ÖÆQQ.jpg
Filesize
27KB

MD5
dbd2800832f7ddbb71468a3755d05bbe

SHA1
775bbc51ecf70876bfea482e0d1545f1cd7c9576

SHA256
a7dfd95da908363ca7e2b52515149b8b8caa6d941d3374930aa9ba221c061366

SHA512
cf8494e4e1187012847d0889528e07a3305bd745d9f65a217397b7e39ad8329f275c2b2eea72b1e0f2624cd9d5de686fcfdd8fc9e2558243593f161775c43762

Download Submit
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
Filesize
672KB

MD5
c70eb040086b3260956cc5fad3ed9a8d

SHA1
fca6484dd65e74e858bf5b3c2d49443264d0bd69

SHA256
1d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf

SHA512
b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
Filesize
672KB

MD5
c70eb040086b3260956cc5fad3ed9a8d

SHA1
fca6484dd65e74e858bf5b3c2d49443264d0bd69

SHA256
1d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf

SHA512
b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×ê¹¤¾ß.exe
Filesize
672KB

MD5
c70eb040086b3260956cc5fad3ed9a8d

SHA1
fca6484dd65e74e858bf5b3c2d49443264d0bd69

SHA256
1d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf

SHA512
b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc

Download Submit
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1448-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1448-55-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1448-56-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/1448-63-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/1448-62-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads