modiloader | 9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f

Analysis

max time kernel
78s
max time network
135s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Size

1.1MB
MD5

e0ddbb692436904c906cb1efbaddff07
SHA1

202674f003cc2a262a9f02521464084ce3a3177f
SHA256

9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f
SHA512

fbdd7bd21acd2e7ca7a3bff24adcc48b578e77bc4c7cf10c3a575bf53d70ec2b57b4ba82a56177cf15ff1a938a25640addd11edd030cc7d4c25be16929b800a7
SSDEEP

24576:fyP6j4ZCJ55Y3jVWdMB1hT96LQNWsJzvOUNMTJB0wA1TJez0:qkOzVNBDJ6LQVxoM1F

Score

10^/10

modiloader persistence trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.freehostia.com
Port:
21
Username:
gognov
Password:
8525825

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ef-67.dat	modiloader_stage2
behavioral1/files/0x000b0000000122ef-70.dat	modiloader_stage2
behavioral1/files/0x000b0000000122ef-68.dat	modiloader_stage2
behavioral1/files/0x000b0000000122ef-88.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-89.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-92.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-94.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-95.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-96.dat	modiloader_stage2
behavioral1/files/0x000800000001230e-97.dat	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
540	key.exe
684	wininfo.exe
908	all.alawart.exe
1996	winupdate.exe

Loads dropped DLL 10 IoCs

pid	Process
1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
908	all.alawart.exe
540	key.exe
1996	winupdate.exe
1996	winupdate.exe
1996	winupdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EOLAEPODGDJEFIB = "C:\\Users\\Admin\\AppData\\Roaming\\wininfo.exe"	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	winupdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1484 wrote to memory of 1288	1484	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	28
PID 1288 wrote to memory of 540	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	29
PID 1288 wrote to memory of 540	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	29
PID 1288 wrote to memory of 540	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	29
PID 1288 wrote to memory of 540	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	29
PID 1288 wrote to memory of 684	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	30
PID 1288 wrote to memory of 684	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	30
PID 1288 wrote to memory of 684	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	30
PID 1288 wrote to memory of 684	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	30
PID 1288 wrote to memory of 908	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	31
PID 1288 wrote to memory of 908	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	31
PID 1288 wrote to memory of 908	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	31
PID 1288 wrote to memory of 908	1288	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	31
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34
PID 540 wrote to memory of 1996	540	key.exe	34

C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
"C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
  C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Roaming\key.exe
    "C:\Users\Admin\AppData\Roaming\key.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\winupdate.exe
      "C:\Users\Admin\AppData\Local\winupdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      PID:1996
- - C:\Users\Admin\AppData\Roaming\wininfo.exe
    "C:\Users\Admin\AppData\Roaming\wininfo.exe"
    3⤵
    - Executes dropped EXE
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\all.alawart.exe
    "C:\Users\Admin\AppData\Local\Temp\all.alawart.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\all.alawart.exe

Filesize
999KB

MD5
edf08b7063419fdc1a7aa6014e724000

SHA1
3d94fa52ceac5c84b67eae18f9d2b996a1d657cd

SHA256
df8f191ff3dceeb4a28956569c820a8d34df4224e572de56a1668ec3d286a487

SHA512
b596dc46ba022b46769cbd397fef5c125896bbb71aa8fbefb5de471b9973216ac1e1e38834b9ea3c8e9e5d6c836fc62f68204a9d057c09af519025a794e4a5ea

Download Submit
C:\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\wininfo.exe

Filesize
16KB

MD5
ffbd72c1de47f0a64864161cad81d425

SHA1
d308404f5b8188efbcd5ee09894bdcaa18425984

SHA256
03b667dbb86b131046da7a4d8901a34d851a6ed71ace3d245fb66e3fb9f69684

SHA512
73961a147799733141de9463d9c889008cd358789778fe2c58e6b9297f39f2f8c082dcd11eabe1042a46149bbd08562c59123ce1805cf66bcef49bef1fb63fd3

Download Submit
\Users\Admin\AppData\Local\Temp\all.alawart.exe

Filesize
999KB

MD5
edf08b7063419fdc1a7aa6014e724000

SHA1
3d94fa52ceac5c84b67eae18f9d2b996a1d657cd

SHA256
df8f191ff3dceeb4a28956569c820a8d34df4224e572de56a1668ec3d286a487

SHA512
b596dc46ba022b46769cbd397fef5c125896bbb71aa8fbefb5de471b9973216ac1e1e38834b9ea3c8e9e5d6c836fc62f68204a9d057c09af519025a794e4a5ea

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
\Users\Admin\AppData\Roaming\wininfo.exe

Filesize
16KB

MD5
ffbd72c1de47f0a64864161cad81d425

SHA1
d308404f5b8188efbcd5ee09894bdcaa18425984

SHA256
03b667dbb86b131046da7a4d8901a34d851a6ed71ace3d245fb66e3fb9f69684

SHA512
73961a147799733141de9463d9c889008cd358789778fe2c58e6b9297f39f2f8c082dcd11eabe1042a46149bbd08562c59123ce1805cf66bcef49bef1fb63fd3

Download Submit
\Users\Admin\AppData\Roaming\wininfo.exe

Filesize
16KB

MD5
ffbd72c1de47f0a64864161cad81d425

SHA1
d308404f5b8188efbcd5ee09894bdcaa18425984

SHA256
03b667dbb86b131046da7a4d8901a34d851a6ed71ace3d245fb66e3fb9f69684

SHA512
73961a147799733141de9463d9c889008cd358789778fe2c58e6b9297f39f2f8c082dcd11eabe1042a46149bbd08562c59123ce1805cf66bcef49bef1fb63fd3

Download Submit
memory/684-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/908-90-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/908-82-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/908-84-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/908-85-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1288-65-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-66-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1288-56-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-80-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-62-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-60-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-59-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-58-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1288-57-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download