modiloader | 1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e

General

Target

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
Size

2.0MB
MD5

4c6f8659b10f1ed181e8bd32d7f9d3c9
SHA1

b7524cad4667537fb31f1870c92b5e3e8ad66579
SHA256

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e
SHA512

986fbebd04b601fafb844ff4e7c2edc0231901c68ad340996238d73a6c143527f0e531a3b31147461b091b21b3feeeb175be526e9b8888a66f940f01d3ba8fd4
SSDEEP

49152:e1Z2EHQt1F39ckIP6oERpVW6KlFjTCxkpKHY5Y:e1HE1F39/IPSpV8fXjK

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1336-66-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-65-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-69-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-68-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-67-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-71-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-72-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-73-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1
behavioral1/memory/1336-75-0x0000000000400000-0x0000000000576000-memory.dmp	modiloader_stage1

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontservice = "\"C:\\Users\\Admin\\fontservice.exe\""	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

description	pid	process	target process
PID 2012 set thread context of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

pid	process
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

description pid process

Token: SeDebugPrivilege 2012 1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

description	pid	process
Token: SeDebugPrivilege	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

description	pid	process	target process
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
PID 2012 wrote to memory of 1336	2012	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe	1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe

C:\Users\Admin\AppData\Local\Temp\1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
"C:\Users\Admin\AppData\Local\Temp\1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe
"C:\Users\Admin\AppData\Local\Temp\1f861b6c1c3788d3273c1d7dc36b6dfa488abbcc9844261b0b7c44992e18bb5e.exe"
2⤵
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-71-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-68-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-66-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-69-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-65-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-75-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-74-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1336-73-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-63-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-64-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-72-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1336-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1336-67-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2012-61-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/2012-57-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2012-54-0x0000000001090000-0x00000000013A2000-memory.dmp

Filesize
3.1MB

Download
memory/2012-59-0x0000000001030000-0x0000000001070000-memory.dmp

Filesize
256KB

Download
memory/2012-56-0x00000000098F0000-0x00000000099CC000-memory.dmp

Filesize
880KB

Download
memory/2012-62-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2012-55-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2012-60-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads