modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1900-30-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/2732-32-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/1900-40-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	QQ.exe

Loads dropped DLL 5 IoCs

pid	Process
1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\A:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\B:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\G:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\H:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\I:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\J:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\L:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\N:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\O:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\S:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\W:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Y:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Z:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\E:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\P:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\R:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\T:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\U:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\M:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Q:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\V:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\X:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened for modification	C:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File created	F:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened for modification	F:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\QQ.exe	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File created	C:\Program Files\QQ.exe	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2732	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2732	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	28
PID 1900 wrote to memory of 2732	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	28
PID 1900 wrote to memory of 2732	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	28
PID 1900 wrote to memory of 2732	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	28
PID 2732 wrote to memory of 2736	2732	QQ.exe	29
PID 2732 wrote to memory of 2736	2732	QQ.exe	29
PID 2732 wrote to memory of 2736	2732	QQ.exe	29
PID 2732 wrote to memory of 2736	2732	QQ.exe	29
PID 1900 wrote to memory of 2648	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	30
PID 1900 wrote to memory of 2648	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	30
PID 1900 wrote to memory of 2648	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	30
PID 1900 wrote to memory of 2648	1900	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files\QQ.exe
  "C:\Program Files\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Delet.bat""
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat

Filesize
220B

MD5
2d5749d74d0113331064453e1a7c2296

SHA1
0c33571595324a85fd550676787e8e99c10798b1

SHA256
c766530e24601e41b436e628fbd7e1d40b8d862cfbadb4813f92e55c7592ec71

SHA512
6f6029d8738a3cdeae11aa02574787cd11d32d4ecb3371ee7b6c5c90746396abba0927c02d631ab96e33ff6851fe33db716d8ac65d22e289bba51c30ad149ff8

Download Submit
F:\QQ.exe

Filesize
279KB

MD5
03a2cf836e01c4bbda317dff5f0bc869

SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8

SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db

Download Submit
memory/1900-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1900-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1900-12-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1900-19-0x0000000002FC0000-0x0000000003114000-memory.dmp

Filesize
1.3MB

Download
memory/1900-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1900-31-0x0000000002FC0000-0x0000000003114000-memory.dmp

Filesize
1.3MB

Download
memory/1900-40-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2732-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2732-23-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2732-32-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads