modiloader | f8d71f555d508646d1bd67fe8d6af42f2d049e5be16f2324666504c539a36de9

General

Target

10b798dec86c9741d311c88dad14e344.exe
Size

186KB
MD5

10b798dec86c9741d311c88dad14e344
SHA1

b6994e3db4d17a5c1dc87fef89009924d5abc552
SHA256

f8d71f555d508646d1bd67fe8d6af42f2d049e5be16f2324666504c539a36de9
SHA512

d7b09c323e9369a454a24fd8975362a9ca770d73a95f6cd21931a8529fb3b86e4d5cef3844e828f75d7f6c6a7debb7c26d31910b6abea7017fda2b99d4c334ac
SSDEEP

3072:rDIpv6Kx9o1hgW5/slL3DKEIF2F5LwCU+Yqp7jIpgY3ro2+TTvB3ZQeCB9T:rDIpNx21hgaU8MLbDpq73r4vBiT7T

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4080-4-0x0000000000400000-0x0000000000424000-memory.dmp	modiloader_stage2
behavioral2/files/0x0008000000023207-9.dat	modiloader_stage2
behavioral2/files/0x0008000000023207-8.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2100	netprotocol.exe
3128	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	10b798dec86c9741d311c88dad14e344.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 2100 set thread context of 3128	2100	netprotocol.exe	94

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 4080 wrote to memory of 1652	4080	10b798dec86c9741d311c88dad14e344.exe	93
PID 1652 wrote to memory of 2100	1652	10b798dec86c9741d311c88dad14e344.exe	92
PID 1652 wrote to memory of 2100	1652	10b798dec86c9741d311c88dad14e344.exe	92
PID 1652 wrote to memory of 2100	1652	10b798dec86c9741d311c88dad14e344.exe	92
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94
PID 2100 wrote to memory of 3128	2100	netprotocol.exe	94

C:\Users\Admin\AppData\Local\Temp\10b798dec86c9741d311c88dad14e344.exe
"C:\Users\Admin\AppData\Local\Temp\10b798dec86c9741d311c88dad14e344.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\10b798dec86c9741d311c88dad14e344.exe
  10b798dec86c9741d311c88dad14e344.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652

C:\Users\Admin\AppData\Roaming\netprotocol.exe
C:\Users\Admin\AppData\Roaming\netprotocol.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\netprotocol.exe
  netprotocol.exe
  2⤵
  - Executes dropped EXE
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
186KB

MD5
16ff65c4376761d0fa01c3398cc1a303

SHA1
504ed5e8badc10b534835cca298cd7a5121d0b4c

SHA256
7b848fd0ecca3c3bfa44c21b5c38bfc8f4cacdac19261218f960e02e37af83ac

SHA512
06f64287fe6153acaf56e6988fa885386a41d69405af41a9597be43d5aaa4e0b1cd077256f1e95b969166de472ddcfe25e12ae6d2d2d5390752b3cc4d5eb0693

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
92KB

MD5
3e68f7375b91a2a451ffa8f4e43b7daa

SHA1
bf6c7c839bbacfaf87d5ba79cd2be5de2326e96e

SHA256
f82909cf049e1b93c6b1e51c0e9b50748a60f7398cf6b0a6f026b1e769a675c9

SHA512
31d6cee86856aa38ece1a6fd989b396470c5146461c143ab7ea124e28170f0811eef406c3e59fde94702fb7919e43ecc971c690856a57d9eb6baf9505134bfb7

Download Submit
memory/1652-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2100-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3128-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3128-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4080-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads