modiloader | f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8

General

Target

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
Size

126KB
MD5

936fe9b34f4d62c71364e856c0d73932
SHA1

3a80904cf58d500dcc9d908468896f81d3dbe40a
SHA256

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8
SHA512

cf6ab831ee38cb7ae12d8cb2cba2f3e286c4ab69e50681cf6dfa8a516434e672a7a2ee2e1ffdb6ad1b21b97224dc8a3df3bfb0aeaa6691ec1bd13677f41bb2dc
SSDEEP

3072:Fkq53FivSwHKT0Wph5fJINzEprvcaAnB4vM2m3DMUsrfxK:2q0vDHABh1q1OrkJnB4i2Tw

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-68-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-69-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1644-70-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/848-54-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1644-58-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-61-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/848-64-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1644-65-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-67-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-68-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-69-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1644-70-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

description	pid	process	target process
PID 848 set thread context of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1644	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
Token: SeBackupPrivilege	1100	vssvc.exe
Token: SeRestorePrivilege	1100	vssvc.exe
Token: SeAuditPrivilege	1100	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

pid process

848 f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

pid	process
848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

description	pid	process	target process
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
PID 848 wrote to memory of 1644	848	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe	f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe

C:\Users\Admin\AppData\Local\Temp\f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
"C:\Users\Admin\AppData\Local\Temp\f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
C:\Users\Admin\AppData\Local\Temp\f3686e1ceaedb3817c270fb1427bc864f06b71eb9de1a57e445d3ba162b9b5d8.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/848-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1644-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-62-0x000000000044D000-mapping.dmp

Download
memory/1644-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-66-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1644-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1644-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads