modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2948-22-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral2/memory/892-23-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2948	QQ.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\W:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\I:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\M:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\S:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\T:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\L:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\N:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\X:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Y:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\A:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\B:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\G:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\K:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Z:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\Q:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\R:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\U:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\V:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\E:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\H:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\J:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened (read-only)	\??\O:	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened for modification	C:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File created	F:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened for modification	F:\AutoRun.inf	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\QQ.exe	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File opened for modification	C:\Program Files\QQ.exe	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 2948	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	88
PID 892 wrote to memory of 2948	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	88
PID 892 wrote to memory of 2948	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	88
PID 892 wrote to memory of 2576	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	89
PID 892 wrote to memory of 2576	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	89
PID 892 wrote to memory of 2576	892	SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe	89

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Pigeon.17327.27136.20853.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files\QQ.exe
  "C:\Program Files\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Delet.bat""
  2⤵
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat

Filesize
220B

MD5
2d5749d74d0113331064453e1a7c2296

SHA1
0c33571595324a85fd550676787e8e99c10798b1

SHA256
c766530e24601e41b436e628fbd7e1d40b8d862cfbadb4813f92e55c7592ec71

SHA512
6f6029d8738a3cdeae11aa02574787cd11d32d4ecb3371ee7b6c5c90746396abba0927c02d631ab96e33ff6851fe33db716d8ac65d22e289bba51c30ad149ff8

Download Submit
C:\Program Files\QQ.exe

Filesize
175KB

MD5
561889c4b4332d2121975b6e7dd7f032

SHA1
cf67c31fc952b9530a3a71f75f1aa6230270d743

SHA256
303ab5c9da02114df8731817dc37fa3e229e9b650846d8fff462695f8e17d1da

SHA512
6efb68e97dfbacd68e7302c1997a12fa8ece62eb433d7054e9422c63740b3afbd4a25685d833d44c13698914d371c1d089d48b61a9707dbf5ad82eca73643149

Download Submit
C:\Program Files\QQ.exe

Filesize
181KB

MD5
b2659862af494eab4de1a6b7de7300c0

SHA1
089dd6b4253335d1cecfbab52d43c7b7ab305f11

SHA256
2a8cf55bcaa96fab7775d92d6510f68acd6d25c8db0517f76b0531d7d3d75355

SHA512
d5a934cc3d1d933847d3e0d19632a045e85c732e7b1c5a04d2f5e63c4931147671fb14a9bf28c5387fcf0fe42f3ec2b0255111be996af6bf68612768fa3907db

Download Submit
F:\QQ.exe

Filesize
279KB

MD5
03a2cf836e01c4bbda317dff5f0bc869

SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8

SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db

Download Submit
memory/892-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/892-1-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/892-12-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/892-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2948-20-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2948-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads