modiloader | f6e135f152463447adc3db1b0de4534d762e21699b17fea4fc66cd2dbf937345

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order confirmation reference no. FXEPS6S100523 .exe
Size

804KB
MD5

abc22566e1c69dc36e74310dedf0ba9d
SHA1

e79b1e5426cb99f868722639b954388db77786ff
SHA256

f6e135f152463447adc3db1b0de4534d762e21699b17fea4fc66cd2dbf937345
SHA512

99d4d313a4c47603f56c62c9d5924adae04df8945feb6b7b6cccdf7076552c2903a5fce214d15cc354bcdd547c43a52fa373b4b3fbdba0703d52dbfdb69be770
SSDEEP

12288:0u+e4v0ma0dwwcQNHRh+ZXiwBdbPmWvy5dHnlllllllllllllllllllllllllll7:0uRQq0iwcmhEffeWKnzhxN2rn4P9h

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

nightmare4666.ddns.net:3443

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2924-133-0x00000000040A0000-0x00000000040DE000-memory.dmp	modiloader_stage2

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2420-150-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2420-155-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2420-156-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2420-157-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2420-158-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

tkghmwvN.pif

pid process

2420 tkghmwvN.pif

pid	process
2420	tkghmwvN.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

order confirmation reference no. FXEPS6S100523 .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvwmhgkt = "C:\\Users\\Public\\Libraries\\tkghmwvN.url"	order confirmation reference no. FXEPS6S100523 .exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

order confirmation reference no. FXEPS6S100523 .exe

description pid process target process

PID 2924 set thread context of 2420 2924 order confirmation reference no. FXEPS6S100523 .exe tkghmwvN.pif

description	pid	process	target process
PID 2924 set thread context of 2420	2924	order confirmation reference no. FXEPS6S100523 .exe	tkghmwvN.pif

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

order confirmation reference no. FXEPS6S100523 .exe

description	pid	process	target process
PID 2924 wrote to memory of 2420	2924	order confirmation reference no. FXEPS6S100523 .exe	tkghmwvN.pif
PID 2924 wrote to memory of 2420	2924	order confirmation reference no. FXEPS6S100523 .exe	tkghmwvN.pif
PID 2924 wrote to memory of 2420	2924	order confirmation reference no. FXEPS6S100523 .exe	tkghmwvN.pif
PID 2924 wrote to memory of 2420	2924	order confirmation reference no. FXEPS6S100523 .exe	tkghmwvN.pif

C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S100523 .exe
"C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S100523 .exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Public\Libraries\tkghmwvN.pif
  C:\Users\Public\Libraries\tkghmwvN.pif
  2⤵
  - Executes dropped EXE
  PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\tkghmwvN.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\tkghmwvN.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/2420-150-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2420-155-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2420-156-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2420-157-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2420-158-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2924-133-0x00000000040A0000-0x00000000040DE000-memory.dmp

Filesize
248KB

Download
memory/2924-135-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2924-136-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download