modiloader | e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8

Analysis

max time kernel
125s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
Size

1.2MB
MD5

4e41bc7a510c3bef5c1e445e072be5b7
SHA1

4839d91cdf8a02fff3a1530ed9309ed08f1546ec
SHA256

e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8
SHA512

1a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216
SSDEEP

24576:WIXMo12mrF8GGNiLoRyiBNQl9vqiFZFp/Eu7GRERnCCifqCZAOl2QHa1+:TXtJZ8GQiLoRyiBKgoZFdniR/qCZFl2M

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-55-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2
behavioral1/memory/1752-82-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2
behavioral1/memory/1684-89-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2
behavioral1/memory/1684-88-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2
behavioral1/memory/1684-90-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2
behavioral1/memory/1684-91-0x0000000000010000-0x00000000002BD000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

server.exeD3DWindower.exeapocalyps32.exe

pid process

1224 server.exe
1488 D3DWindower.exe
1684 apocalyps32.exe

pid	process
1224	server.exe
1488	D3DWindower.exe
1684	apocalyps32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\6c3286.dll"	server.exe

Loads dropped DLL 10 IoCs

Processes:

e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exeserver.exesvchost.exerundll32.exe

pid	process
1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
1224	server.exe
1704	svchost.exe
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe

Drops file in System32 directory 1 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\6c3286.dll server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\6c3286.dll	server.exe

Drops file in Windows directory 3 IoCs

Processes:

e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exeapocalyps32.exe

description	ioc	process
File created	C:\Windows\apocalyps32.exe	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
File opened for modification	C:\Windows\apocalyps32.exe	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

server.exeD3DWindower.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1224	server.exe
Token: SeIncreaseQuotaPrivilege	1488	D3DWindower.exe
Token: SeSecurityPrivilege	1488	D3DWindower.exe
Token: SeTakeOwnershipPrivilege	1488	D3DWindower.exe
Token: SeLoadDriverPrivilege	1488	D3DWindower.exe
Token: SeSystemProfilePrivilege	1488	D3DWindower.exe
Token: SeSystemtimePrivilege	1488	D3DWindower.exe
Token: SeProfSingleProcessPrivilege	1488	D3DWindower.exe
Token: SeIncBasePriorityPrivilege	1488	D3DWindower.exe
Token: SeCreatePagefilePrivilege	1488	D3DWindower.exe
Token: SeBackupPrivilege	1488	D3DWindower.exe
Token: SeRestorePrivilege	1488	D3DWindower.exe
Token: SeShutdownPrivilege	1488	D3DWindower.exe
Token: SeDebugPrivilege	1488	D3DWindower.exe
Token: SeSystemEnvironmentPrivilege	1488	D3DWindower.exe
Token: SeRemoteShutdownPrivilege	1488	D3DWindower.exe
Token: SeUndockPrivilege	1488	D3DWindower.exe
Token: SeManageVolumePrivilege	1488	D3DWindower.exe
Token: 33	1488	D3DWindower.exe
Token: 34	1488	D3DWindower.exe
Token: 35	1488	D3DWindower.exe
Token: SeIncreaseQuotaPrivilege	1488	D3DWindower.exe
Token: SeSecurityPrivilege	1488	D3DWindower.exe
Token: SeTakeOwnershipPrivilege	1488	D3DWindower.exe
Token: SeLoadDriverPrivilege	1488	D3DWindower.exe
Token: SeSystemProfilePrivilege	1488	D3DWindower.exe
Token: SeSystemtimePrivilege	1488	D3DWindower.exe
Token: SeProfSingleProcessPrivilege	1488	D3DWindower.exe
Token: SeIncBasePriorityPrivilege	1488	D3DWindower.exe
Token: SeCreatePagefilePrivilege	1488	D3DWindower.exe
Token: SeBackupPrivilege	1488	D3DWindower.exe
Token: SeRestorePrivilege	1488	D3DWindower.exe
Token: SeShutdownPrivilege	1488	D3DWindower.exe
Token: SeDebugPrivilege	1488	D3DWindower.exe
Token: SeSystemEnvironmentPrivilege	1488	D3DWindower.exe
Token: SeRemoteShutdownPrivilege	1488	D3DWindower.exe
Token: SeUndockPrivilege	1488	D3DWindower.exe
Token: SeManageVolumePrivilege	1488	D3DWindower.exe
Token: 33	1488	D3DWindower.exe
Token: 34	1488	D3DWindower.exe
Token: 35	1488	D3DWindower.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

D3DWindower.exe

pid process

1488 D3DWindower.exe

pid	process
1488	D3DWindower.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exesvchost.exeserver.exeapocalyps32.exe

description	pid	process	target process
PID 1752 wrote to memory of 1224	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	server.exe
PID 1752 wrote to memory of 1224	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	server.exe
PID 1752 wrote to memory of 1224	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	server.exe
PID 1752 wrote to memory of 1224	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	server.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1704 wrote to memory of 1100	1704	svchost.exe	rundll32.exe
PID 1224 wrote to memory of 1736	1224	server.exe	cmd.exe
PID 1224 wrote to memory of 1736	1224	server.exe	cmd.exe
PID 1224 wrote to memory of 1736	1224	server.exe	cmd.exe
PID 1224 wrote to memory of 1736	1224	server.exe	cmd.exe
PID 1752 wrote to memory of 1488	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	D3DWindower.exe
PID 1752 wrote to memory of 1488	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	D3DWindower.exe
PID 1752 wrote to memory of 1488	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	D3DWindower.exe
PID 1752 wrote to memory of 1488	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	D3DWindower.exe
PID 1752 wrote to memory of 1684	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	apocalyps32.exe
PID 1752 wrote to memory of 1684	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	apocalyps32.exe
PID 1752 wrote to memory of 1684	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	apocalyps32.exe
PID 1752 wrote to memory of 1684	1752	e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe	apocalyps32.exe
PID 1684 wrote to memory of 548	1684	apocalyps32.exe	iexplore.exe
PID 1684 wrote to memory of 548	1684	apocalyps32.exe	iexplore.exe
PID 1684 wrote to memory of 548	1684	apocalyps32.exe	iexplore.exe
PID 1684 wrote to memory of 548	1684	apocalyps32.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
"C:\Users\Admin\AppData\Local\Temp\e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\server.exe" > nul
3⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\D3DWindower.exe
"C:\Users\Admin\AppData\Local\Temp\D3DWindower.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Windows\apocalyps32.exe
-bs
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
-bs
3⤵
PID:548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ".Net CLR"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\6c3286.dll, Launch
2⤵
- Loads dropped DLL
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D3DWindower.exe
Filesize
738KB

MD5
5ba07aae61ac0b88a761232680916468

SHA1
34347c599e061084833399cbbdfeb3f367b4dc36

SHA256
f3d167c70b74e46e1946b5f9e6199fb5d2333ddd34ec4dd87b6c7894ef4b61ed

SHA512
3b71086534234e53aef2e8f38a080d868f5e2252c73d20353ff38728c48868116e48ee14e6896fa17514fbf1d1c1f9abb444c1210f42458415969b75f277d330

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
658KB

MD5
8ead19cc64b8556df8d68d7d2d75bacb

SHA1
fe41b9f8008db5d71ba02412a44fe1437069f826

SHA256
3943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0

SHA512
9497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
658KB

MD5
8ead19cc64b8556df8d68d7d2d75bacb

SHA1
fe41b9f8008db5d71ba02412a44fe1437069f826

SHA256
3943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0

SHA512
9497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c

Download Submit
C:\Windows\apocalyps32.exe
Filesize
1.2MB

MD5
4e41bc7a510c3bef5c1e445e072be5b7

SHA1
4839d91cdf8a02fff3a1530ed9309ed08f1546ec

SHA256
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8

SHA512
1a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216

Download Submit
C:\Windows\apocalyps32.exe
Filesize
1.2MB

MD5
4e41bc7a510c3bef5c1e445e072be5b7

SHA1
4839d91cdf8a02fff3a1530ed9309ed08f1546ec

SHA256
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8

SHA512
1a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216

Download Submit
\??\c:\windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Users\Admin\AppData\Local\Temp\D3DWindower.exe
Filesize
738KB

MD5
5ba07aae61ac0b88a761232680916468

SHA1
34347c599e061084833399cbbdfeb3f367b4dc36

SHA256
f3d167c70b74e46e1946b5f9e6199fb5d2333ddd34ec4dd87b6c7894ef4b61ed

SHA512
3b71086534234e53aef2e8f38a080d868f5e2252c73d20353ff38728c48868116e48ee14e6896fa17514fbf1d1c1f9abb444c1210f42458415969b75f277d330

Download Submit
\Users\Admin\AppData\Local\Temp\D3DWindower.exe
Filesize
738KB

MD5
5ba07aae61ac0b88a761232680916468

SHA1
34347c599e061084833399cbbdfeb3f367b4dc36

SHA256
f3d167c70b74e46e1946b5f9e6199fb5d2333ddd34ec4dd87b6c7894ef4b61ed

SHA512
3b71086534234e53aef2e8f38a080d868f5e2252c73d20353ff38728c48868116e48ee14e6896fa17514fbf1d1c1f9abb444c1210f42458415969b75f277d330

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
658KB

MD5
8ead19cc64b8556df8d68d7d2d75bacb

SHA1
fe41b9f8008db5d71ba02412a44fe1437069f826

SHA256
3943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0

SHA512
9497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
658KB

MD5
8ead19cc64b8556df8d68d7d2d75bacb

SHA1
fe41b9f8008db5d71ba02412a44fe1437069f826

SHA256
3943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0

SHA512
9497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
\Windows\SysWOW64\6c3286.dll
Filesize
610KB

MD5
fa0c08737db9bb8e0a94f5059b8b5a52

SHA1
fb14b173454e24e208992757325fd81ed21ed680

SHA256
f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987

SHA512
e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6

Download Submit
memory/1100-67-0x0000000000000000-mapping.dmp

Download
memory/1224-59-0x0000000000000000-mapping.dmp

Download
memory/1488-76-0x0000000000000000-mapping.dmp

Download
memory/1684-86-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1684-79-0x0000000000000000-mapping.dmp

Download
memory/1684-92-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/1684-91-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1684-90-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1684-89-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1684-87-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/1684-85-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1684-88-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download
memory/1752-55-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1752-56-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/1752-83-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/1752-82-0x0000000000010000-0x00000000002BD000-memory.dmp

Filesize
2.7MB

Download
memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download