modiloader | 5902e474c2ec6955cc08b0d209960a3e52e90b169ca6bd7e05a8460eeef5eabe

General

Target

7f363cdb63cc212982928c9770fa9ea4.exe
Size

369KB
MD5

7f363cdb63cc212982928c9770fa9ea4
SHA1

ce563062ab491a1187008c45f0ca21a56bb65dd8
SHA256

5902e474c2ec6955cc08b0d209960a3e52e90b169ca6bd7e05a8460eeef5eabe
SHA512

2b43e2dcae3888141f18d9dc1a08c13b2899b11cd8248369c3a35a0773cb87bce0ad8845940fb0cc917ea6bd046ca77ada1a0d7033409ce430cb76b35c04c505
SSDEEP

6144:jiqqeROq+9nBwSNxRVNexqtLpw9j37UbV2jy7YMUosWb+msy92NgvpnoJtEh:JQPqIixv9j3YV2y7YMUosWb+Fy2anwWh

Score

10^/10

modiloader bootkit persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Admin\\Favorites\\netservice.exe\"un userinit.exe"	IOQJ.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012261-15.dat	modiloader_stage2
behavioral1/files/0x000e000000015584-41.dat	modiloader_stage2
behavioral1/memory/2580-53-0x0000000000400000-0x0000000000447000-memory.dmp	modiloader_stage2
behavioral1/memory/1708-56-0x0000000000400000-0x000000000046E000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-59-0x0000000000240000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-62-0x0000000000240000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-66-0x0000000000240000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-70-0x0000000000240000-0x00000000002C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-78-0x0000000000240000-0x00000000002C4000-memory.dmp	modiloader_stage2

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll"	IOQJ.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000015c51-51.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2528	RunMgr.EXE
2580	IOQJ.exe

Loads dropped DLL 3 IoCs

pid	Process
2528	RunMgr.EXE
2528	RunMgr.EXE
2640	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015c51-51.dat	upx
behavioral1/memory/2640-55-0x0000000000240000-0x00000000002C4000-memory.dmp	upx
behavioral1/memory/2640-59-0x0000000000240000-0x00000000002C4000-memory.dmp	upx
behavioral1/memory/2640-62-0x0000000000240000-0x00000000002C4000-memory.dmp	upx
behavioral1/memory/2640-66-0x0000000000240000-0x00000000002C4000-memory.dmp	upx
behavioral1/memory/2640-70-0x0000000000240000-0x00000000002C4000-memory.dmp	upx
behavioral1/memory/2640-78-0x0000000000240000-0x00000000002C4000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7f363cdb63cc212982928c9770fa9ea4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysns.dll	IOQJ.exe
File opened for modification	C:\Windows\SysWOW64\sysns.dll	IOQJ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RunMgr.EXE	7f363cdb63cc212982928c9770fa9ea4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	7f363cdb63cc212982928c9770fa9ea4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2528	1708	7f363cdb63cc212982928c9770fa9ea4.exe	30
PID 1708 wrote to memory of 2528	1708	7f363cdb63cc212982928c9770fa9ea4.exe	30
PID 1708 wrote to memory of 2528	1708	7f363cdb63cc212982928c9770fa9ea4.exe	30
PID 1708 wrote to memory of 2528	1708	7f363cdb63cc212982928c9770fa9ea4.exe	30
PID 1708 wrote to memory of 2284	1708	7f363cdb63cc212982928c9770fa9ea4.exe	29
PID 1708 wrote to memory of 2284	1708	7f363cdb63cc212982928c9770fa9ea4.exe	29
PID 1708 wrote to memory of 2284	1708	7f363cdb63cc212982928c9770fa9ea4.exe	29
PID 1708 wrote to memory of 2284	1708	7f363cdb63cc212982928c9770fa9ea4.exe	29
PID 1708 wrote to memory of 2020	1708	7f363cdb63cc212982928c9770fa9ea4.exe	31
PID 1708 wrote to memory of 2020	1708	7f363cdb63cc212982928c9770fa9ea4.exe	31
PID 1708 wrote to memory of 2020	1708	7f363cdb63cc212982928c9770fa9ea4.exe	31
PID 1708 wrote to memory of 2020	1708	7f363cdb63cc212982928c9770fa9ea4.exe	31
PID 2528 wrote to memory of 2580	2528	RunMgr.EXE	32
PID 2528 wrote to memory of 2580	2528	RunMgr.EXE	32
PID 2528 wrote to memory of 2580	2528	RunMgr.EXE	32
PID 2528 wrote to memory of 2580	2528	RunMgr.EXE	32
PID 2528 wrote to memory of 2744	2528	RunMgr.EXE	34
PID 2528 wrote to memory of 2744	2528	RunMgr.EXE	34
PID 2528 wrote to memory of 2744	2528	RunMgr.EXE	34
PID 2528 wrote to memory of 2744	2528	RunMgr.EXE	34
PID 2580 wrote to memory of 2696	2580	IOQJ.exe	36
PID 2580 wrote to memory of 2696	2580	IOQJ.exe	36
PID 2580 wrote to memory of 2696	2580	IOQJ.exe	36
PID 2580 wrote to memory of 2696	2580	IOQJ.exe	36

C:\Users\Admin\AppData\Local\Temp\7f363cdb63cc212982928c9770fa9ea4.exe
"C:\Users\Admin\AppData\Local\Temp\7f363cdb63cc212982928c9770fa9ea4.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del %SystemRoot%\Debug.exe
  2⤵
  PID:2284
- C:\Windows\RunMgr.EXE
  "C:\Windows\RunMgr.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IOQJ.exe
    "C:\Users\Admin\AppData\Local\Temp\IOQJ.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\IOQJ.exe"
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\»Æ½ðÕÊºÅ.txt
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7F363C~1.EXE > nul
  2⤵
  PID:2020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
1⤵
- Loads dropped DLL
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IOQJ.exe

Filesize
265KB

MD5
256a31388e297e32461ea5db14686447

SHA1
0117eda444b4905384ecda5caef53049112ae231

SHA256
e7a0714d6854396c3022528354170780e0587a6a214db38824f8039a8381b71b

SHA512
4bb5bfabe07dd3d6f92c6f4727bc9ad8c4d785afc53642e877840f5010919d30e2925309ff15f0d54e291e8f2fc11e8709b66d312db7e2c0ae1529453e29359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\»Æ½ðÕÊºÅ.txt

Filesize
495B

MD5
4738cce5bb28ffefd41079d2b021d23a

SHA1
f7037a36b40287d74b6d9f9104fa85b7a18e1b84

SHA256
b90086be71a1d5046ed85cdfd3fb3e4934b7e03ada119e2168bdcfbd36f0c2c2

SHA512
97f0535b5516b3c1bb40fe58cb17fba1077656f5b7abbdb62d0b35cc23e5913c9f4b87c94389f13f5dc7edb69954a83ad2bd39ea7ec5f77da460685c88bdb9e8

Download Submit
C:\Windows\RunMgr.EXE

Filesize
289KB

MD5
cf3c0efbac5ce00742b8406e1ab3934f

SHA1
34cf7bbb3d56d36d9838633fa9efc683f9bef793

SHA256
039ec23ccf0ae73c15fc9703d2f08da448e930b5c1d9ab02e8657422d9f1bfcb

SHA512
90e84e328f7496e489ddddcec937f10c27fdbbbc7699726e38b9419b45b0ca2955bdd1e6c3447b979071ee395fb2344e7024bee866f19af57a57714f6d337eb9

Download Submit
\??\c:\windows\SysWOW64\sysns.dll

Filesize
191KB

MD5
007fb208b6cde541b9e4f372bb1ad186

SHA1
0f54350aa21ef2935b4d8b62f6c0455ca0d32174

SHA256
84a510265baaaace2dc3b053480299a34b5a8a9f7302788764ee75d4f8b6dc59

SHA512
dfb32a988801905dec5aeb772702dc7467c83c4fd330874990bc742a7177006ba7cac58d855e4b504176d3667badf4ef9535e4d3bde832d6ed8febd9e522e8a3

Download Submit
memory/1708-19-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1708-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1708-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1708-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1708-12-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1708-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1708-1-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1708-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1708-20-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1708-21-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/1708-23-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1708-22-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1708-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1708-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1708-26-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1708-27-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1708-29-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1708-28-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1708-57-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1708-43-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1708-42-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1708-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1708-39-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1708-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1708-56-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1708-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1708-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1708-30-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2528-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2580-53-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2640-55-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/2640-59-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/2640-62-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/2640-66-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/2640-70-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/2640-78-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads