modiloader | 98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381

General

Target

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe
Size

159KB
MD5

cd602e1d9ed9af0f1d5c60b8e6598bfe
SHA1

b2f7534835fb48b5feb390c1ec5b2e9acf8fe578
SHA256

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381
SHA512

6aa30d18cb7ffdf8f919b722d9e151b93f7b6f4d1d9a7003669b9aaca67c8539110249930d30d6319340959b3d812165992741187b66a24393c7784c077ace89
SSDEEP

3072:dRGEbqzPvmGEbqzHxsbE7IjXDNAiBs1SsVF9ylfPOlOqivfkr:XGkqzWGkqzHxsbEAXZTqVaOUqn

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

Ýp Ýle Hack2.exeÝp Ýle Hack2.exe

pid process

4824 Ýp Ýle Hack2.exe
5016 Ýp Ýle Hack2.exe

pid	process
4824	Ýp Ýle Hack2.exe
5016	Ýp Ýle Hack2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5016-136-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-139-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Ýp Ýle Hack2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ýp Ýle Hack2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ýp Ýle Hack2.exe

description pid process target process

PID 4824 set thread context of 5016 4824 Ýp Ýle Hack2.exe Ýp Ýle Hack2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ýp Ýle Hack2.exe

description pid process

Token: SeDebugPrivilege 5016 Ýp Ýle Hack2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ýp Ýle Hack2.exe

description	pid	process	target process
PID 4824 set thread context of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe

description	pid	process
Token: SeDebugPrivilege	5016	Ýp Ýle Hack2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exeÝp Ýle Hack2.exe

description	pid	process	target process
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe

C:\Users\Admin\AppData\Local\Temp\98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe
"C:\Users\Admin\AppData\Local\Temp\98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
"C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
"C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
Filesize
136KB

MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
Filesize
136KB

MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
Filesize
136KB

MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
memory/4824-132-0x0000000000000000-mapping.dmp

Download
memory/5016-135-0x0000000000000000-mapping.dmp

Download
memory/5016-136-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5016-139-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads