modiloader | fef960655534cc3074d51cf9323698e9c5dc9d4bba52de6b414b1727d29d997a

Analysis

max time kernel
176s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2023 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order confirmation proforma Invoice.exe
Size

884KB
MD5

083de0a909532eb3348578a7beb95bca
SHA1

29e83783b3fe5a4e483dec157141f066a6af7026
SHA256

fdff6b98ec2be3abdd05531d36bc50d514d449dc6f753fb6aa8d4657e5669828
SHA512

5c599d3d780886f2b259fd457c976833a6fb3b48e870fda1a58271637cfeda6cbaeae5a2fbb6308496477d6e6fffd9e6f910860b6dda8e7f44c880fd97a3a932
SSDEEP

12288:Cb8A+lyMML0gN55kXFyqf0bGBvGoE3IhAf1nAhglR:C4ZzML0gN5WXFaK9GoEHf1nAhglR

Score

10^/10

modiloader xloader euv4 loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/516-132-0x0000000000A10000-0x0000000000A3C000-memory.dmp	modiloader_stage2

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/516-158-0x0000000010410000-0x0000000010439000-memory.dmp	xloader
behavioral2/memory/5032-164-0x0000000010410000-0x0000000010439000-memory.dmp	xloader
behavioral2/memory/3676-167-0x0000000000800000-0x0000000000829000-memory.dmp	xloader
behavioral2/memory/3676-172-0x0000000000800000-0x0000000000829000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

easinvoker.exe

pid process

3396 easinvoker.exe
Loads dropped DLL 1 IoCs

Processes:

easinvoker.exe

pid process

3396 easinvoker.exe

pid	process
3396	easinvoker.exe

pid	process
3396	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order confirmation proforma Invoice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Itfzmikw = "C:\\Users\\Public\\Libraries\\wkimzftI.url"	Order confirmation proforma Invoice.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexpress.exemsdt.exe

description	pid	process	target process
PID 5032 set thread context of 700	5032	iexpress.exe	Explorer.EXE
PID 3676 set thread context of 700	3676	msdt.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3736 PING.EXE

pid	process
3736	PING.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exeOrder confirmation proforma Invoice.exeiexpress.exemsdt.exe

pid	process
892	powershell.exe
892	powershell.exe
516	Order confirmation proforma Invoice.exe
516	Order confirmation proforma Invoice.exe
5032	iexpress.exe
5032	iexpress.exe
5032	iexpress.exe
5032	iexpress.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe
3676	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

700 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

iexpress.exemsdt.exe

pid process

5032 iexpress.exe
5032 iexpress.exe
5032 iexpress.exe
3676 msdt.exe
3676 msdt.exe

pid	process
700	Explorer.EXE

pid	process
5032	iexpress.exe
5032	iexpress.exe
5032	iexpress.exe
3676	msdt.exe
3676	msdt.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeiexpress.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	5032	iexpress.exe
Token: SeShutdownPrivilege	700	Explorer.EXE
Token: SeCreatePagefilePrivilege	700	Explorer.EXE
Token: SeShutdownPrivilege	700	Explorer.EXE
Token: SeCreatePagefilePrivilege	700	Explorer.EXE
Token: SeDebugPrivilege	3676	msdt.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Order confirmation proforma Invoice.execmd.exeeasinvoker.execmd.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 516 wrote to memory of 708	516	Order confirmation proforma Invoice.exe	cmd.exe
PID 516 wrote to memory of 708	516	Order confirmation proforma Invoice.exe	cmd.exe
PID 516 wrote to memory of 708	516	Order confirmation proforma Invoice.exe	cmd.exe
PID 708 wrote to memory of 2532	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 2532	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 2532	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4784	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4784	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4784	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4432	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4432	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4432	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4844	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4844	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4844	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 4188	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4188	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 4188	708	cmd.exe	cmd.exe
PID 708 wrote to memory of 1576	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 1576	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 1576	708	cmd.exe	xcopy.exe
PID 708 wrote to memory of 3396	708	cmd.exe	easinvoker.exe
PID 708 wrote to memory of 3396	708	cmd.exe	easinvoker.exe
PID 3396 wrote to memory of 2840	3396	easinvoker.exe	cmd.exe
PID 3396 wrote to memory of 2840	3396	easinvoker.exe	cmd.exe
PID 708 wrote to memory of 3736	708	cmd.exe	PING.EXE
PID 708 wrote to memory of 3736	708	cmd.exe	PING.EXE
PID 708 wrote to memory of 3736	708	cmd.exe	PING.EXE
PID 2840 wrote to memory of 892	2840	cmd.exe	powershell.exe
PID 2840 wrote to memory of 892	2840	cmd.exe	powershell.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 516 wrote to memory of 5032	516	Order confirmation proforma Invoice.exe	iexpress.exe
PID 700 wrote to memory of 3676	700	Explorer.EXE	msdt.exe
PID 700 wrote to memory of 3676	700	Explorer.EXE	msdt.exe
PID 700 wrote to memory of 3676	700	Explorer.EXE	msdt.exe
PID 3676 wrote to memory of 2380	3676	msdt.exe	cmd.exe
PID 3676 wrote to memory of 2380	3676	msdt.exe	cmd.exe
PID 3676 wrote to memory of 2380	3676	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\Order confirmation proforma Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Order confirmation proforma Invoice.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ItfzmikwO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:2532

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:4432

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:4188

C:\Windows\SysWOW64\xcopy.exe
xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:1576

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:3736

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\iexpress.exe"
3⤵
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\ItfzmikwO.bat
Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll
Filesize
110KB

MD5
b375e74a145c45d07190212e9157e5f8

SHA1
59d3de7748e1090ce95523601224ce5ab6cc4a3a

SHA256
6ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744

SHA512
859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\netutils.dll
Filesize
110KB

MD5
b375e74a145c45d07190212e9157e5f8

SHA1
59d3de7748e1090ce95523601224ce5ab6cc4a3a

SHA256
6ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744

SHA512
859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0

Download Submit
C:\Windows \System32\netutils.dll
Filesize
110KB

MD5
b375e74a145c45d07190212e9157e5f8

SHA1
59d3de7748e1090ce95523601224ce5ab6cc4a3a

SHA256
6ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744

SHA512
859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0

Download Submit
C:\windows \system32\KDECO.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/516-132-0x0000000000A10000-0x0000000000A3C000-memory.dmp

Filesize
176KB

Download
memory/516-158-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/516-157-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/700-162-0x0000000007F40000-0x0000000007FF2000-memory.dmp

Filesize
712KB

Download
memory/700-169-0x0000000007F40000-0x0000000007FF2000-memory.dmp

Filesize
712KB

Download
memory/700-173-0x0000000008000000-0x000000000812B000-memory.dmp

Filesize
1.2MB

Download
memory/700-171-0x0000000008000000-0x000000000812B000-memory.dmp

Filesize
1.2MB

Download
memory/708-134-0x0000000000000000-mapping.dmp

Download
memory/892-153-0x0000000000000000-mapping.dmp

Download
memory/892-155-0x00007FFAF3290000-0x00007FFAF3D51000-memory.dmp

Filesize
10.8MB

Download
memory/892-154-0x0000019D3AB60000-0x0000019D3AB82000-memory.dmp

Filesize
136KB

Download
memory/1576-143-0x0000000000000000-mapping.dmp

Download
memory/2380-165-0x0000000000000000-mapping.dmp

Download
memory/2532-136-0x0000000000000000-mapping.dmp

Download
memory/2840-150-0x0000000000000000-mapping.dmp

Download
memory/3396-145-0x0000000000000000-mapping.dmp

Download
memory/3676-170-0x0000000002630000-0x00000000026C0000-memory.dmp

Filesize
576KB

Download
memory/3676-172-0x0000000000800000-0x0000000000829000-memory.dmp

Filesize
164KB

Download
memory/3676-168-0x0000000002900000-0x0000000002C4A000-memory.dmp

Filesize
3.3MB

Download
memory/3676-166-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/3676-163-0x0000000000000000-mapping.dmp

Download
memory/3676-167-0x0000000000800000-0x0000000000829000-memory.dmp

Filesize
164KB

Download
memory/3736-151-0x0000000000000000-mapping.dmp

Download
memory/4188-142-0x0000000000000000-mapping.dmp

Download
memory/4432-139-0x0000000000000000-mapping.dmp

Download
memory/4784-137-0x0000000000000000-mapping.dmp

Download
memory/4844-140-0x0000000000000000-mapping.dmp

Download
memory/5032-164-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/5032-161-0x0000000003BE0000-0x0000000003BF1000-memory.dmp

Filesize
68KB

Download
memory/5032-160-0x0000000003D00000-0x000000000404A000-memory.dmp

Filesize
3.3MB

Download
memory/5032-156-0x0000000000000000-mapping.dmp

Download