modiloader | 6e6aef49afd787d07ac598538f2c83e8690a0d7f4a79da6944b2b70e90b1b9eb

General

Target

2365e5ae55ff69806a18f70f0802d8e3.exe
Size

392KB
MD5

2365e5ae55ff69806a18f70f0802d8e3
SHA1

19f5493319b988c950482f749901846fdb2f676f
SHA256

6e6aef49afd787d07ac598538f2c83e8690a0d7f4a79da6944b2b70e90b1b9eb
SHA512

50dd7a5991592454f2373daf8d5bbd2ebe2bf1fe2097c8c372771a709c2f512ba44709ad8181bf1a9d9a24bbf28dc9591e36fe606d0711231bece4d7e47cf89e
SSDEEP

6144:1bx1JNRm9uXcUy8yp8imvbkaKNjOG6O65s0mjY5WwAYa7zQ07qKLwkaupcP2BJDY:xJNRmOc6fbkvAGpPLjxzUuiPIsBH

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral2/memory/8-0-0x0000000000010000-0x0000000000079000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-13-0x00000000021F0000-0x000000000229A000-memory.dmp	modiloader_stage2
behavioral2/memory/8-10-0x0000000000010000-0x0000000000079000-memory.dmp	modiloader_stage2
behavioral2/files/0x00080000000231f7-6.dat	modiloader_stage2
behavioral2/files/0x0006000000023209-17.dat	modiloader_stage2
behavioral2/memory/4800-37-0x00000000025A0000-0x000000000264A000-memory.dmp	modiloader_stage2
behavioral2/memory/1816-34-0x0000000000010000-0x0000000000079000-memory.dmp	modiloader_stage2
behavioral2/memory/3576-27-0x00000000021F0000-0x000000000229A000-memory.dmp	modiloader_stage2
behavioral2/files/0x00080000000231f7-22.dat	modiloader_stage2
behavioral2/memory/4800-72-0x00000000025A0000-0x000000000264A000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\services.exe	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2365e5ae55ff69806a18f70f0802d8e3.exe

Executes dropped EXE 3 IoCs

pid	Process
1816	csrss.exe
4800	csrss.exe
4020	services.exe

Loads dropped DLL 4 IoCs

pid	Process
8	2365e5ae55ff69806a18f70f0802d8e3.exe
8	2365e5ae55ff69806a18f70f0802d8e3.exe
1816	csrss.exe
1816	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 4800	1816	csrss.exe	94

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4020	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3576	8	2365e5ae55ff69806a18f70f0802d8e3.exe	92
PID 8 wrote to memory of 3576	8	2365e5ae55ff69806a18f70f0802d8e3.exe	92
PID 8 wrote to memory of 3576	8	2365e5ae55ff69806a18f70f0802d8e3.exe	92
PID 8 wrote to memory of 3576	8	2365e5ae55ff69806a18f70f0802d8e3.exe	92
PID 8 wrote to memory of 3576	8	2365e5ae55ff69806a18f70f0802d8e3.exe	92
PID 3576 wrote to memory of 4744	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	91
PID 3576 wrote to memory of 4744	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	91
PID 3576 wrote to memory of 4744	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	91
PID 3576 wrote to memory of 1816	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	95
PID 3576 wrote to memory of 1816	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	95
PID 3576 wrote to memory of 1816	3576	2365e5ae55ff69806a18f70f0802d8e3.exe	95
PID 1816 wrote to memory of 4800	1816	csrss.exe	94
PID 1816 wrote to memory of 4800	1816	csrss.exe	94
PID 1816 wrote to memory of 4800	1816	csrss.exe	94
PID 1816 wrote to memory of 4800	1816	csrss.exe	94
PID 1816 wrote to memory of 4800	1816	csrss.exe	94
PID 4800 wrote to memory of 4020	4800	csrss.exe	93
PID 4800 wrote to memory of 4020	4800	csrss.exe	93
PID 4800 wrote to memory of 4020	4800	csrss.exe	93

C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
"C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
  C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe" "C:\Windows\csrss.exe"
1⤵
- Drops file in Windows directory
PID:4744

C:\Windows\SysWOW64\drivers\services.exe
C:\Windows\system32\drivers\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\csrss.exe
C:\Windows\csrss.exe
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kacir.bin

Filesize
10KB

MD5
ddb56c87d10647289236f9fe752d80cd

SHA1
e698b332a1a05bab72eb9f8f25d7e98314ae0124

SHA256
bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15

SHA512
c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
C:\Windows\csrss.exe

Filesize
381KB

MD5
e5b8f91de46817f551b5c876a346f967

SHA1
45b4fe598ec687291c390ee7b636cbb94b03e1ba

SHA256
4e8944dc4995a717bcf9437a4f47c52eded0d90de94d025c6cfc87e29fed3773

SHA512
bf01b5b31abd2d92fc18ab55fe155fa70522fa6927348115b4c12ed94288cca5e00b12f5a4d1d4f96c92473039ad37d9c14f4c54acacb305325418ec8275913d

Download Submit
memory/8-0-0x0000000000010000-0x0000000000079000-memory.dmp

Filesize
420KB

Download
memory/8-10-0x0000000000010000-0x0000000000079000-memory.dmp

Filesize
420KB

Download
memory/1816-34-0x0000000000010000-0x0000000000079000-memory.dmp

Filesize
420KB

Download
memory/3576-9-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/3576-11-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/3576-14-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/3576-13-0x00000000021F0000-0x000000000229A000-memory.dmp

Filesize
680KB

Download
memory/3576-27-0x00000000021F0000-0x000000000229A000-memory.dmp

Filesize
680KB

Download
memory/3576-25-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/3576-12-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/4020-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4800-38-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4800-37-0x00000000025A0000-0x000000000264A000-memory.dmp

Filesize
680KB

Download
memory/4800-72-0x00000000025A0000-0x000000000264A000-memory.dmp

Filesize
680KB

Download
memory/4800-75-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads