modiloader | 9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe
Size

388KB
MD5

c7c3b1dfc231e192d1886d682ff941ca
SHA1

6b3e0ad82026e25bd60a9b71fef5b67396696320
SHA256

9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e
SHA512

f930640e2acc12aba970f8ab56a87f1ab613569d1d3a0c24b2f4c5265533edffc795a5614f821ec9d7406f5905fef6c5878997e2aa43234a09d18a3b5864fe08
SSDEEP

6144:7bOAmC045lY0Z79BZb4SCnG35g6N0QJpvJGEGOKPbXl9X0J0qOxl4FBBb86:RmC08W+9BZb3p32qX3v4EAVGeJ4Fd

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122f9-54.dat	modiloader_stage2
behavioral1/memory/2024-60-0x0000000000010000-0x0000000000077A4C-memory.dmp	modiloader_stage2
behavioral1/memory/988-65-0x0000000007FF0000-0x0000000008097000-memory.dmp	modiloader_stage2
behavioral1/memory/988-72-0x0000000007FF0000-0x0000000008097000-memory.dmp	modiloader_stage2
behavioral1/files/0x000b0000000122f9-71.dat	modiloader_stage2
behavioral1/files/0x000b0000000122f9-73.dat	modiloader_stage2
behavioral1/memory/560-80-0x0000000000010000-0x0000000000077A4C-memory.dmp	modiloader_stage2
behavioral1/memory/1080-87-0x0000000007FF0000-0x0000000008097000-memory.dmp	modiloader_stage2
behavioral1/memory/1080-88-0x0000000007FF0000-0x0000000008097000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\services.exe	csrss.exe

Executes dropped EXE 3 IoCs

pid	Process
560	csrss.exe
1080	csrss.exe
336	services.exe

Loads dropped DLL 4 IoCs

pid	Process
2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe
560	csrss.exe
1080	csrss.exe
1080	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 560 set thread context of 1080	560	csrss.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\csrss.exe	csrss.exe
File created	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 2024 wrote to memory of 988	2024	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	27
PID 988 wrote to memory of 1552	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	28
PID 988 wrote to memory of 1552	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	28
PID 988 wrote to memory of 1552	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	28
PID 988 wrote to memory of 1552	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	28
PID 988 wrote to memory of 560	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	30
PID 988 wrote to memory of 560	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	30
PID 988 wrote to memory of 560	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	30
PID 988 wrote to memory of 560	988	9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe	30
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 560 wrote to memory of 1080	560	csrss.exe	31
PID 1080 wrote to memory of 336	1080	csrss.exe	32
PID 1080 wrote to memory of 336	1080	csrss.exe	32
PID 1080 wrote to memory of 336	1080	csrss.exe	32
PID 1080 wrote to memory of 336	1080	csrss.exe	32

C:\Users\Admin\AppData\Local\Temp\9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe
"C:\Users\Admin\AppData\Local\Temp\9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe
  C:\Users\Admin\AppData\Local\Temp\9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e.exe" "C:\Windows\csrss.exe"
    3⤵
    - Drops file in Windows directory
    PID:1552
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\csrss.exe
      C:\Windows\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\drivers\services.exe
        
        C:\Windows\system32\drivers\services.exe
        5⤵
        Executes dropped EXE
        
        PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kacir.bin

Filesize
10KB

MD5
ddb56c87d10647289236f9fe752d80cd

SHA1
e698b332a1a05bab72eb9f8f25d7e98314ae0124

SHA256
bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15

SHA512
c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
C:\Windows\SysWOW64\drivers\services.exe

Filesize
25KB

MD5
17756e0726830df0897875a03d3a5067

SHA1
af7783012872089b9a4a9c78daa3eefff12f5e04

SHA256
445a24c80b4a85b7efcedd6f75062f317f1c8c6a97cd51dfc3d861909e2e79d3

SHA512
2230b77de5d9142254514268c6c23f933bf78a90e15f75de1041828db54616fbb0fcf66b5f3d7bf06a0a5c3474fc040ff25ff582c89de076e17fa16b441b135e

Download Submit
C:\Windows\csrss.exe

Filesize
388KB

MD5
c7c3b1dfc231e192d1886d682ff941ca

SHA1
6b3e0ad82026e25bd60a9b71fef5b67396696320

SHA256
9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e

SHA512
f930640e2acc12aba970f8ab56a87f1ab613569d1d3a0c24b2f4c5265533edffc795a5614f821ec9d7406f5905fef6c5878997e2aa43234a09d18a3b5864fe08

Download Submit
C:\Windows\csrss.exe

Filesize
388KB

MD5
c7c3b1dfc231e192d1886d682ff941ca

SHA1
6b3e0ad82026e25bd60a9b71fef5b67396696320

SHA256
9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e

SHA512
f930640e2acc12aba970f8ab56a87f1ab613569d1d3a0c24b2f4c5265533edffc795a5614f821ec9d7406f5905fef6c5878997e2aa43234a09d18a3b5864fe08

Download Submit
C:\Windows\csrss.exe

Filesize
388KB

MD5
c7c3b1dfc231e192d1886d682ff941ca

SHA1
6b3e0ad82026e25bd60a9b71fef5b67396696320

SHA256
9d0d64f0f7ae03a45d4c2e914f1dd6ebd79a0701ef2dd38cabbffd53b3d48b8e

SHA512
f930640e2acc12aba970f8ab56a87f1ab613569d1d3a0c24b2f4c5265533edffc795a5614f821ec9d7406f5905fef6c5878997e2aa43234a09d18a3b5864fe08

Download Submit
\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
\Windows\SysWOW64\drivers\services.exe

Filesize
25KB

MD5
17756e0726830df0897875a03d3a5067

SHA1
af7783012872089b9a4a9c78daa3eefff12f5e04

SHA256
445a24c80b4a85b7efcedd6f75062f317f1c8c6a97cd51dfc3d861909e2e79d3

SHA512
2230b77de5d9142254514268c6c23f933bf78a90e15f75de1041828db54616fbb0fcf66b5f3d7bf06a0a5c3474fc040ff25ff582c89de076e17fa16b441b135e

Download Submit
\Windows\SysWOW64\drivers\services.exe

Filesize
25KB

MD5
17756e0726830df0897875a03d3a5067

SHA1
af7783012872089b9a4a9c78daa3eefff12f5e04

SHA256
445a24c80b4a85b7efcedd6f75062f317f1c8c6a97cd51dfc3d861909e2e79d3

SHA512
2230b77de5d9142254514268c6c23f933bf78a90e15f75de1041828db54616fbb0fcf66b5f3d7bf06a0a5c3474fc040ff25ff582c89de076e17fa16b441b135e

Download Submit
memory/560-80-0x0000000000010000-0x0000000000077A4C-memory.dmp

Filesize
414KB

Download
memory/988-61-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/988-57-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/988-64-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/988-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/988-62-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/988-66-0x0000000000010000-0x0000000000077A4C-memory.dmp

Filesize
414KB

Download
memory/988-65-0x0000000007FF0000-0x0000000008097000-memory.dmp

Filesize
668KB

Download
memory/988-72-0x0000000007FF0000-0x0000000008097000-memory.dmp

Filesize
668KB

Download
memory/1080-87-0x0000000007FF0000-0x0000000008097000-memory.dmp

Filesize
668KB

Download
memory/1080-88-0x0000000007FF0000-0x0000000008097000-memory.dmp

Filesize
668KB

Download
memory/2024-60-0x0000000000010000-0x0000000000077A4C-memory.dmp

Filesize
414KB

Download