modiloader | 1be5998378ab64533d717ffaf0f10d892e1790f260f72060ad1318e4d6d4321b

General

Target

DOC.09323872637283.exe
Size

1.0MB
MD5

33d0315e844e991a28980ad8a108a423
SHA1

2c91f349e52c5995bfb81d309392b119d5954996
SHA256

3d3106d56edd0d99fb92516b4ab21f27972e104477204343c5f365aa604650ef
SHA512

c9639414395d4177b5fd52f3190d5d9e17d31678f815f1e61176c17b87d33dfef70830a0055bd97966a10ee822a59c0a0d55ebed32348067422ab7de1bc8e239
SSDEEP

24576:SSWrMz8C3kJ+VnkaJ56TxIN84Mm/3vfb5GJ:SS0o8YXMFIN84X3vfb5W

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3344-133-0x0000000004530000-0x0000000004562000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xnjvmfsJ.pif

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	xnjvmfsJ.pif

Executes dropped EXE 1 IoCs

Processes:

xnjvmfsJ.pif

pid process

3188 xnjvmfsJ.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DOC.09323872637283.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsfmvjnx = "C:\\Users\\Public\\Libraries\\xnjvmfsJ.url"	DOC.09323872637283.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

xnjvmfsJ.pifNETSTAT.EXE

description	pid	process	target process
PID 3188 set thread context of 3140	3188	xnjvmfsJ.pif	Explorer.EXE
PID 4372 set thread context of 3140	4372	NETSTAT.EXE	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2968 4940 WerFault.exe Firefox.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4372 NETSTAT.EXE

pid	pid_target	process	target process
2968	4940	WerFault.exe	Firefox.exe

pid	process
4372	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

xnjvmfsJ.pifNETSTAT.EXE

pid	process
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
3188	xnjvmfsJ.pif
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE
4372	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

xnjvmfsJ.pifNETSTAT.EXE

pid process

3188 xnjvmfsJ.pif
3188 xnjvmfsJ.pif
3188 xnjvmfsJ.pif
4372 NETSTAT.EXE
4372 NETSTAT.EXE
4372 NETSTAT.EXE
4372 NETSTAT.EXE

pid	process
3140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xnjvmfsJ.pifNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3188	xnjvmfsJ.pif
Token: SeDebugPrivilege	4372	NETSTAT.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DOC.09323872637283.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3344 wrote to memory of 3188	3344	DOC.09323872637283.exe	xnjvmfsJ.pif
PID 3140 wrote to memory of 4372	3140	Explorer.EXE	NETSTAT.EXE
PID 3140 wrote to memory of 4372	3140	Explorer.EXE	NETSTAT.EXE
PID 3140 wrote to memory of 4372	3140	Explorer.EXE	NETSTAT.EXE
PID 4372 wrote to memory of 4940	4372	NETSTAT.EXE	Firefox.exe
PID 4372 wrote to memory of 4940	4372	NETSTAT.EXE	Firefox.exe
PID 4372 wrote to memory of 4940	4372	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\DOC.09323872637283.exe
"C:\Users\Admin\AppData\Local\Temp\DOC.09323872637283.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3344

C:\Users\Public\Libraries\xnjvmfsJ.pif
"C:\Users\Public\Libraries\xnjvmfsJ.pif"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4940 -s 140
4⤵
- Program crash
PID:2968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4940 -ip 4940
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\xnjvmfsJ.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\xnjvmfsJ.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/3140-162-0x0000000007CB0000-0x0000000007D59000-memory.dmp

Filesize
676KB

Download
memory/3140-159-0x0000000007CB0000-0x0000000007D59000-memory.dmp

Filesize
676KB

Download
memory/3140-151-0x00000000026B0000-0x00000000027CA000-memory.dmp

Filesize
1.1MB

Download
memory/3188-149-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3188-147-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3188-148-0x00000000025F0000-0x000000000293A000-memory.dmp

Filesize
3.3MB

Download
memory/3188-150-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3188-143-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3188-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3344-136-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/3344-142-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3344-133-0x0000000004530000-0x0000000004562000-memory.dmp

Filesize
200KB

Download
memory/3344-141-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3344-135-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/4372-155-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/4372-157-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/4372-158-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download
memory/4372-156-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/4372-160-0x0000000001140000-0x00000000011CF000-memory.dmp

Filesize
572KB

Download
memory/4372-153-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads