modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

03a2cf836e01c4bbda317dff5f0bc869.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2796-22-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral2/memory/216-23-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2796	QQ.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\K:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\U:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\A:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\E:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\I:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\L:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\R:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\X:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\H:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\M:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\T:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Y:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Z:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\V:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\B:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\G:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\N:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\O:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\P:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\Q:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\S:	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened (read-only)	\??\W:	03a2cf836e01c4bbda317dff5f0bc869.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened for modification	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869.exe
File opened for modification	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	03a2cf836e01c4bbda317dff5f0bc869.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2796	216	03a2cf836e01c4bbda317dff5f0bc869.exe	42
PID 216 wrote to memory of 2796	216	03a2cf836e01c4bbda317dff5f0bc869.exe	42
PID 216 wrote to memory of 2796	216	03a2cf836e01c4bbda317dff5f0bc869.exe	42
PID 216 wrote to memory of 4608	216	03a2cf836e01c4bbda317dff5f0bc869.exe	40
PID 216 wrote to memory of 4608	216	03a2cf836e01c4bbda317dff5f0bc869.exe	40
PID 216 wrote to memory of 4608	216	03a2cf836e01c4bbda317dff5f0bc869.exe	40

C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Delet.bat""
  2⤵
  PID:4608
- C:\Program Files\QQ.exe
  "C:\Program Files\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat

Filesize
184B

MD5
ee0a7a8ec30438e0cbc5c5f919a152ac

SHA1
20abae314cdf81ec39745c7d98457557e883d7dc

SHA256
e9727e76aedc97f4e189dd5d1c5fcfe3fd24f9613d464bccd08400855a3f1584

SHA512
32b5011702396554439f7293aada7726518ecc8cabae3b8036b8945e269bb2c95d3523f99b527ad1211aa41367747d3c24273fd11d83998f307358f45b6b3618

Download Submit
C:\Program Files\QQ.exe

Filesize
31KB

MD5
73375c6f7338e23743460092881039f0

SHA1
b1c24e2fe9cc5d783ed5de53cd742667c446d269

SHA256
ffb93c35b0381e52f647a26d8e1a80b4ef7ffde1381d8210348954feb4eb77d0

SHA512
27a34df4e7813dbf3857855851dcfe57a2359e98ef9828f0eb3e646bbc07eaae81f3fc2d8cd5b757c61f2b81a3f0ca4ddb3de06b414f9d76df7a5381b1f6c5b2

Download Submit
C:\Program Files\QQ.exe

Filesize
118KB

MD5
020fab9847275df94918fb52d91d7f98

SHA1
daa87920d7377614d8b6d8bf59fb5d1d67d55e41

SHA256
3c71b3b87c2b83fd4c639aa60a00c098175192f5ddd8f06dbc5dc9b1c3df08b0

SHA512
f89b0e637a7ddf7fe533d2d0e0e3a6cf672532c19687244f66c344dab567187581d10f79ae1711e0364d163069cfc4be0ae4b1cbd5e23b60636ea4322dd9aa83

Download Submit
F:\QQ.exe

Filesize
120KB

MD5
c8df60663a0ae26f5f23b5820d2a53de

SHA1
5cdb576f9965f0b139056c8cef526fac6904c3cf

SHA256
50ce1045388ffb98d22ff0750bf9a258c22005461af12ca0ddb8eb108450ca69

SHA512
d056b0f5bdd99a329322eca842659010b0ef2db6f8076f4ce2c570a5d7fbce0d3951bb3f42e1c8e2f5843bce8e17d96f3e1dfefcfa8b3b5e4f5422f0216b288a

Download Submit
memory/216-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/216-1-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/216-2-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/216-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2796-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2796-19-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads