modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

03a2cf836e01c4bbda317dff5f0bc869.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2208-32-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/2004-34-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-42-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
284	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	QQ.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	03a2cf836e01c4bbda317dff5f0bc869.exe
2208	03a2cf836e01c4bbda317dff5f0bc869.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\T:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\V:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\W:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\E:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\G:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\J:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\K:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\N:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\O:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Q:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\S:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\M:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Z:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\A:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\H:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\I:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\L:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Y:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\B:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\R:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\U:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\X:	03a2cf836e01c4bbda317dff5f0bc869.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened for modification	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened for modification	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	03a2cf836e01c4bbda317dff5f0bc869.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2004	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2004	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	28
PID 2208 wrote to memory of 2004	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	28
PID 2208 wrote to memory of 2004	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	28
PID 2208 wrote to memory of 2004	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	28
PID 2004 wrote to memory of 2852	2004	QQ.exe	29
PID 2004 wrote to memory of 2852	2004	QQ.exe	29
PID 2004 wrote to memory of 2852	2004	QQ.exe	29
PID 2004 wrote to memory of 2852	2004	QQ.exe	29
PID 2208 wrote to memory of 284	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	32
PID 2208 wrote to memory of 284	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	32
PID 2208 wrote to memory of 284	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	32
PID 2208 wrote to memory of 284	2208	03a2cf836e01c4bbda317dff5f0bc869.exe	32

C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\QQ.exe
  "C:\Program Files\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Delet.bat""
  2⤵
  - Deletes itself
  PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat

Filesize
184B

MD5
ee0a7a8ec30438e0cbc5c5f919a152ac

SHA1
20abae314cdf81ec39745c7d98457557e883d7dc

SHA256
e9727e76aedc97f4e189dd5d1c5fcfe3fd24f9613d464bccd08400855a3f1584

SHA512
32b5011702396554439f7293aada7726518ecc8cabae3b8036b8945e269bb2c95d3523f99b527ad1211aa41367747d3c24273fd11d83998f307358f45b6b3618

Download Submit
F:\QQ.exe

Filesize
279KB

MD5
03a2cf836e01c4bbda317dff5f0bc869

SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8

SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db

Download Submit
memory/2004-28-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2004-34-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2004-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2004-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2208-19-0x0000000002D20000-0x0000000002E74000-memory.dmp

Filesize
1.3MB

Download
memory/2208-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2208-22-0x0000000002D20000-0x0000000002E74000-memory.dmp

Filesize
1.3MB

Download
memory/2208-32-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2208-33-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-42-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads