modiloader | c7f2a0affba4248f4b27486f35c2c91fc27c210bc3d200ddac825b7ad5341d30

General

Target

Yeni siparis eklendi.exe
Size

769KB
MD5

57fda92eba26470e5269afd0137f197c
SHA1

fba7aa814defbfb093407da33f1e3d6357301465
SHA256

c7f2a0affba4248f4b27486f35c2c91fc27c210bc3d200ddac825b7ad5341d30
SHA512

194d685f0479d456e1849dc2de44e4d56cee32affa4c99acfcfd6626c53a56e4bca3c8963d3317a639579f4c8692df401f8a5d748846f5f6d837034720c8d6c4
SSDEEP

12288:cjtATpxC7cYFqGwib8yzaeCvFJIqtIz2XtkJ/PufCUWUo2:cjt2pHYkUraDvFTIa9kJ/Pu/ro

Score

10^/10

modiloader xloader uj3c loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1928-134-0x0000000002290000-0x00000000022BC000-memory.dmp	modiloader_stage2

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1928-148-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/2128-153-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/2128-159-0x0000000010410000-0x000000001043B000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Yeni siparis eklendi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxelewph = "C:\\Users\\Public\\Libraries\\hpwelexO.url"	Yeni siparis eklendi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexpress.exe

description	pid	process	target process
PID 2128 set thread context of 3132	2128	iexpress.exe	Explorer.EXE
PID 2128 set thread context of 3132	2128	iexpress.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Yeni siparis eklendi.exeiexpress.exe

pid	process
1928	Yeni siparis eklendi.exe
1928	Yeni siparis eklendi.exe
2128	iexpress.exe
2128	iexpress.exe
2128	iexpress.exe
2128	iexpress.exe
2128	iexpress.exe
2128	iexpress.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3132 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

iexpress.exe

pid process

2128 iexpress.exe
2128 iexpress.exe

pid	process
3132	Explorer.EXE

pid	process
2128	iexpress.exe
2128	iexpress.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

iexpress.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2128	iexpress.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Yeni siparis eklendi.exe

description	pid	process	target process
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe
PID 1928 wrote to memory of 2128	1928	Yeni siparis eklendi.exe	iexpress.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe
"C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-133-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1928-134-0x0000000002290000-0x00000000022BC000-memory.dmp

Filesize
176KB

Download
memory/1928-136-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1928-147-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1928-148-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/2128-152-0x0000000004090000-0x00000000043DA000-memory.dmp

Filesize
3.3MB

Download
memory/2128-149-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2128-153-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/2128-154-0x0000000003F60000-0x0000000003F71000-memory.dmp

Filesize
68KB

Download
memory/2128-157-0x0000000003FA0000-0x0000000003FB1000-memory.dmp

Filesize
68KB

Download
memory/2128-159-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3132-155-0x0000000003130000-0x0000000003231000-memory.dmp

Filesize
1.0MB

Download
memory/3132-158-0x0000000008910000-0x0000000008AA9000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads