modiloader | e36a0dfa49890364967ce961dcc9a4a5b32b99a171f1aa7a505811679e2ce7b8

General

Target

1dd009ebff013b5e1b641e460e5eaa01.exe
Size

670KB
MD5

1dd009ebff013b5e1b641e460e5eaa01
SHA1

984ec64a577abbd3d5fbd69981f6345f1666063d
SHA256

e36a0dfa49890364967ce961dcc9a4a5b32b99a171f1aa7a505811679e2ce7b8
SHA512

812c299a45944f8c42641d4a9fc7f8bc205bc3daef0adc59bc7d31e0c9b848b01b2099b6f8791cec041734a790e15f7c000cfffc1c16b72b77d9b8fd4cd99d4d
SSDEEP

12288:y3og9mmldjsVd2/4fzF8F3Z4mxx9f3Rgi6uVWmwCmjs:uogJdPlQmX9/RNV6Q

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122f2-27.dat	modiloader_stage2
behavioral1/files/0x000e0000000122f2-33.dat	modiloader_stage2
behavioral1/files/0x000e0000000122f2-29.dat	modiloader_stage2
behavioral1/files/0x000e0000000122f2-30.dat	modiloader_stage2
behavioral1/memory/2008-36-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/files/0x000e0000000122f2-43.dat	modiloader_stage2
behavioral1/files/0x000e0000000122f2-39.dat	modiloader_stage2
behavioral1/memory/2768-47-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/files/0x000e0000000122f2-37.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2008	1.exe
2768	1.exe

Loads dropped DLL 4 IoCs

pid	Process
2856	1dd009ebff013b5e1b641e460e5eaa01.exe
2856	1dd009ebff013b5e1b641e460e5eaa01.exe
2856	1dd009ebff013b5e1b641e460e5eaa01.exe
2856	1dd009ebff013b5e1b641e460e5eaa01.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1dd009ebff013b5e1b641e460e5eaa01.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2008	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	27
PID 2856 wrote to memory of 2008	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	27
PID 2856 wrote to memory of 2008	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	27
PID 2856 wrote to memory of 2008	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	27
PID 2856 wrote to memory of 2768	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	28
PID 2856 wrote to memory of 2768	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	28
PID 2856 wrote to memory of 2768	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	28
PID 2856 wrote to memory of 2768	2856	1dd009ebff013b5e1b641e460e5eaa01.exe	28

C:\Users\Admin\AppData\Local\Temp\1dd009ebff013b5e1b641e460e5eaa01.exe
"C:\Users\Admin\AppData\Local\Temp\1dd009ebff013b5e1b641e460e5eaa01.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt

Filesize
52B

MD5
ce66ab94aeffaa3d16632b3a10874a0f

SHA1
cdac03d1e09da01c5b4fd3f60d2aeac4412cfdb9

SHA256
9d5073d7c4095d7285ac6069d7dd3a74235c0dcf0cc70c18b7a560fc0293e3b9

SHA512
d01ca59d5767ffff0edfd68a6b199b62c1a078ab4c7926d7bb4374cd72ac74ffea29ce034094f2dc1220051eb35ea5f06c6b5c02cff908f21645e114df6c5183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
37KB

MD5
86df63fa7788e8580e36eb79f54ff322

SHA1
8d09bc0e2cffe0e7bd3cbb20e5a48ab86a39e248

SHA256
90ed640172c3faaed4fc0581724b64afd7883740c21e7b71c40d51963d2aefba

SHA512
968b2316f64590a03202b38f0ec1aa438f6e623ff056a4b090611665c5bb07a69c6727ca76ed7c00193023b03b227c4e468d9b0429936a13de1766e62bf62464

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
2KB

MD5
d8539e716b71dd25b8a929e0e2fd119e

SHA1
2cd0bfe0fe15d3fdd5668a5e93c081b392b737c0

SHA256
90706b8404d521408e699fbc2e0ee0544a1d60fd88c859026b1d05892c4bcc58

SHA512
78425e044931a59ff3d433d3224265532d6b77d8f49c4374983a28a5cfee1ff8dbf72cb8bfebe6720751fbbdb5acad2afb8f8f2adef2205ef8bdc90e41f972ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
19KB

MD5
7167023ef912f42ea9ac135116da4a9e

SHA1
efa5d0df2da491637561d977ce31214d30617d7f

SHA256
4b56ae5f4c88e674ba7bb8c96a956fa0295a7a3bcfcb873cdc8928737ef4ba91

SHA512
7e2730e621a9247c1e815458e3da9955711b7a0fa1e51aa56795c83de9002fd55aab30f7a92fedc42c95dbc1ab357b1096f32fd1bc252a2d51f6e53ef843d19f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
153KB

MD5
de9f68c0b13b6745bfbd4ddb69554c58

SHA1
9dff7639fc6b45be6c1e48868437e498b3801dbf

SHA256
7555be34b99e9810a892d15ae9b2174b8da4544758c85d763d319a076ebf1b9f

SHA512
94cdb3f868b887a9055ea47262b2456601b24d8a18980e5881f711f2eac0cb8c9f07ac32e8278f818e3a3fee1b91e6b1b04be8da4dacbdb46cc7bc5c6ce02527

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
21KB

MD5
f921f038184bcc14a29638f5bea347c2

SHA1
c56c6f379ee8fde34518f450850f49be23fa2a19

SHA256
bd4897b4acbefa520fd9a25eef285f1353b51c0fb54e8563954bb9b5e107f1f9

SHA512
3505814e01c3710241f6bd739f7c55089315a06f5214f87bcab2497c01618a030a53c87aea2e5f82986d79ec8a505e71d5858bf83fc51d6f088a6cda0c66a3f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
26KB

MD5
e3c3ada8f6ae1929122f6412cd443dd2

SHA1
58b54afbdf3c66fb01b5f41055736ebd6527b11a

SHA256
ac254880e2f698faeabebfde7ce673e6a1bb7d81cf44088cf03487c68dd0e0ed

SHA512
05da1a6cad49db39988a92206b6c776e1ba76b388fa31802883dceffcf8558b3a9a943490d2b1f986dbda924c58f06e176bd59f529b7eaaa8eeb0022371d369c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
53KB

MD5
74d60465e322a4fbfa9b42f551309ecd

SHA1
3af588335e29e215878f838520792bbd2afe70d8

SHA256
a473df5eac567b11b2666bdf4fafb1c0ce6a2509036b0159df82aab447e476b3

SHA512
1ed0ac684b1ded8f6bd6d9d7f7743e9ec99783be42061ffb787e94591bdc9660473712d721507aa75f0b884522cf9e19e72d5d70b4c51138e8d6c805b58b6bdc

Download Submit
memory/2008-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-36-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2768-46-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-47-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-17-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2856-14-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2856-11-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2856-10-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2856-9-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2856-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2856-7-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2856-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2856-5-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2856-4-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2856-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2856-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2856-13-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2856-15-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2856-16-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2856-0-0x0000000001000000-0x0000000001108000-memory.dmp

Filesize
1.0MB

Download
memory/2856-18-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2856-19-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2856-20-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2856-51-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2856-50-0x0000000001000000-0x0000000001108000-memory.dmp

Filesize
1.0MB

Download
memory/2856-21-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2856-22-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2856-23-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2856-24-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2856-1-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads