modiloader | 2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be

General

Target

2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe
Size

275KB
MD5

7846ae94d06ac0dce5de1dd7f95280bd
SHA1

31149e1825d6defec696dc4a1d2e8dcb6dd23b9c
SHA256

2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be
SHA512

a545b62a239451d8c6b331fad924ad469fd6e451f46207c75acce9ba8221e3906984696f82d0cbafbc548be85c9f401a5e085d67c2264b9ef006740039f01981
SSDEEP

6144:2+ft09BZRn01/EjRmH4mm1cECD+p1H/j+8jZ7rvaU3+mWrWnvoSI:Dfe9TRno/EjRq4m6TnH/j+eFzFJoSI

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1480-71-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1312-74-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1312-75-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1480	prova.exe
1312	mstwain32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b00000001249b-58.dat	upx
behavioral1/files/0x001b00000001249b-59.dat	upx
behavioral1/files/0x001b00000001249b-61.dat	upx
behavioral1/memory/1480-63-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/files/0x001b00000001249b-65.dat	upx
behavioral1/files/0x001b00000001249b-66.dat	upx
behavioral1/files/0x0008000000012738-68.dat	upx
behavioral1/memory/1480-71-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1312-74-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1312-75-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe
1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe
1480	prova.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mstwain32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prova.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	prova.exe
File opened for modification	C:\Windows\mstwain32.exe	prova.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	prova.exe
Token: SeDebugPrivilege	1312	mstwain32.exe
Token: SeDebugPrivilege	1312	mstwain32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1092	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe
1312	mstwain32.exe
1312	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1480	1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe	29
PID 1120 wrote to memory of 1480	1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe	29
PID 1120 wrote to memory of 1480	1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe	29
PID 1120 wrote to memory of 1480	1120	2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe	29
PID 1480 wrote to memory of 1312	1480	prova.exe	30
PID 1480 wrote to memory of 1312	1480	prova.exe	30
PID 1480 wrote to memory of 1312	1480	prova.exe	30
PID 1480 wrote to memory of 1312	1480	prova.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe
"C:\Users\Admin\AppData\Local\Temp\2524dd7b060afa72aac7977cd26245284516c6cb466c356cea97fd044b66e1be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\prova.exe
  "C:\Users\Admin\AppData\Local\Temp\prova.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1312

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\brutto.jpg

Filesize
154KB

MD5
3846290d25261163987984a529a57972

SHA1
5d900bc8252b7c5cbc8d7109129c07c7b5d84364

SHA256
aa0a89a4a575457b4b663aa6f1a03e46b1b0ae91dfbec9fbe3c68e02d3ee7bde

SHA512
25291ab73188de6baff0ef681228dcebacd7d5e41e00f4661b0413cf78c8544926e0fe8d26c2b512a789279f7dd072d59183fcab216a3542ba8b67ac07565e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\prova.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\prova.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
C:\Windows\mstwain32.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
\Users\Admin\AppData\Local\Temp\prova.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
\Users\Admin\AppData\Local\Temp\prova.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
\Users\Admin\AppData\Local\Temp\prova.exe

Filesize
109KB

MD5
318561dfbba844f4c0d2e9a11178e861

SHA1
7fa527d313f1ba598a79e54af6b9ea1f0a3a8f2d

SHA256
b0324e5e2535c6671ce22d4f0fcf5071a0c07ffd14d96ac712ca1f6e6dbd412d

SHA512
dfefc883257830894390dd4010b2a760507992831bc2525f898e8036b00e6f73a727cf8c256c70b273888000844f39a5c50004c226f3d704648f83e12e95edfd

Download Submit
memory/1120-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1120-62-0x0000000002650000-0x00000000026A0000-memory.dmp

Filesize
320KB

Download
memory/1312-73-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1312-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1312-75-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1480-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1480-70-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1480-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads