modiloader | 9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f

Analysis

max time kernel
302s
max time network
316s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Size

1.1MB
MD5

e0ddbb692436904c906cb1efbaddff07
SHA1

202674f003cc2a262a9f02521464084ce3a3177f
SHA256

9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f
SHA512

fbdd7bd21acd2e7ca7a3bff24adcc48b578e77bc4c7cf10c3a575bf53d70ec2b57b4ba82a56177cf15ff1a938a25640addd11edd030cc7d4c25be16929b800a7
SSDEEP

24576:fyP6j4ZCJ55Y3jVWdMB1hT96LQNWsJzvOUNMTJB0wA1TJez0:qkOzVNBDJ6LQVxoM1F

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022dc4-140.dat	modiloader_stage2
behavioral2/files/0x0008000000022dc4-141.dat	modiloader_stage2
behavioral2/files/0x000d000000022ddb-158.dat	modiloader_stage2
behavioral2/files/0x000d000000022ddb-157.dat	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
4756	key.exe
2152	wininfo.exe
2004	all.alawart.exe
3480	winupdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	key.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	all.alawart.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EOJGGJMBIHDMNGJ = "C:\\Users\\Admin\\AppData\\Roaming\\wininfo.exe"	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\winupdate.exe"	winupdate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1440	2152	WerFault.exe	86

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3480	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 2432 wrote to memory of 3376	2432	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	82
PID 3376 wrote to memory of 4756	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	85
PID 3376 wrote to memory of 4756	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	85
PID 3376 wrote to memory of 4756	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	85
PID 3376 wrote to memory of 2152	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	86
PID 3376 wrote to memory of 2152	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	86
PID 3376 wrote to memory of 2152	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	86
PID 3376 wrote to memory of 2004	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	88
PID 3376 wrote to memory of 2004	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	88
PID 3376 wrote to memory of 2004	3376	9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe	88
PID 4756 wrote to memory of 3480	4756	key.exe	91
PID 4756 wrote to memory of 3480	4756	key.exe	91
PID 4756 wrote to memory of 3480	4756	key.exe	91

C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
"C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
  C:\Users\Admin\AppData\Local\Temp\9a66f675b5bb95acd4d7d87370e493db283f89fda927cab337a2d73453f44f5f.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Roaming\key.exe
    "C:\Users\Admin\AppData\Roaming\key.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\winupdate.exe
      "C:\Users\Admin\AppData\Local\winupdate.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      PID:3480
- - C:\Users\Admin\AppData\Roaming\wininfo.exe
    "C:\Users\Admin\AppData\Roaming\wininfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 264
      4⤵
      Program crash
      PID:1440
- - C:\Users\Admin\AppData\Local\Temp\all.alawart.exe
    "C:\Users\Admin\AppData\Local\Temp\all.alawart.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2152 -ip 2152
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\all.alawart.exe

Filesize
999KB

MD5
edf08b7063419fdc1a7aa6014e724000

SHA1
3d94fa52ceac5c84b67eae18f9d2b996a1d657cd

SHA256
df8f191ff3dceeb4a28956569c820a8d34df4224e572de56a1668ec3d286a487

SHA512
b596dc46ba022b46769cbd397fef5c125896bbb71aa8fbefb5de471b9973216ac1e1e38834b9ea3c8e9e5d6c836fc62f68204a9d057c09af519025a794e4a5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\all.alawart.exe

Filesize
999KB

MD5
edf08b7063419fdc1a7aa6014e724000

SHA1
3d94fa52ceac5c84b67eae18f9d2b996a1d657cd

SHA256
df8f191ff3dceeb4a28956569c820a8d34df4224e572de56a1668ec3d286a487

SHA512
b596dc46ba022b46769cbd397fef5c125896bbb71aa8fbefb5de471b9973216ac1e1e38834b9ea3c8e9e5d6c836fc62f68204a9d057c09af519025a794e4a5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Local\winupdate.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\key.exe

Filesize
60KB

MD5
9c2499bc5bebe3470adddbff74704520

SHA1
111f27e801ab10fa9e2af3ca30cc807ccbff6c12

SHA256
4971b575f76d8090c1eba707c12d7bfc368fa096e42d2ade7ad628b6a91cecb0

SHA512
fcf6a900a82dd02f18728b9c6a97750b6223d6c33856adcc05fd0bfaaa6da4f96ad84a81ab87d0c5c873d032c1c284a073e2986c674a0940ab8eb171ed33e245

Download Submit
C:\Users\Admin\AppData\Roaming\wininfo.exe

Filesize
16KB

MD5
ffbd72c1de47f0a64864161cad81d425

SHA1
d308404f5b8188efbcd5ee09894bdcaa18425984

SHA256
03b667dbb86b131046da7a4d8901a34d851a6ed71ace3d245fb66e3fb9f69684

SHA512
73961a147799733141de9463d9c889008cd358789778fe2c58e6b9297f39f2f8c082dcd11eabe1042a46149bbd08562c59123ce1805cf66bcef49bef1fb63fd3

Download Submit
C:\Users\Admin\AppData\Roaming\wininfo.exe

Filesize
16KB

MD5
ffbd72c1de47f0a64864161cad81d425

SHA1
d308404f5b8188efbcd5ee09894bdcaa18425984

SHA256
03b667dbb86b131046da7a4d8901a34d851a6ed71ace3d245fb66e3fb9f69684

SHA512
73961a147799733141de9463d9c889008cd358789778fe2c58e6b9297f39f2f8c082dcd11eabe1042a46149bbd08562c59123ce1805cf66bcef49bef1fb63fd3

Download Submit
memory/2004-154-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2004-153-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2004-159-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2004-149-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2004-151-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2152-152-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3376-148-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3376-138-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3376-137-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3376-135-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download