modiloader | cb67844c1988b0738263573ebf7a2a2bf477ecfb9c2a51f3c65d586d17be9d18

General

Target

8e181beb277e9c40d3028f2c8efaf55f.exe
Size

436KB
MD5

8e181beb277e9c40d3028f2c8efaf55f
SHA1

a5b27d262a2fb59d941cb1a6ca6c6fbf15210a83
SHA256

cb67844c1988b0738263573ebf7a2a2bf477ecfb9c2a51f3c65d586d17be9d18
SHA512

768a6e39dbe49b1f537680f8aa241fc4b434dbcdf5569b4df8eef4ac5a02ec95caaf66e52d2abebcd0472bb515c22e450a92d1999990d2c0ad1991165889b50d
SSDEEP

6144:N1GWAE41wXoMpK8tFCQqztvtrEKlYuhRdUnTWEpFVoo2Uq1JXEKqRg6z/mGxUhIF:NYEj5tFi5Fr9lYI8LjUH5S1xUyH

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2456-27-0x0000000000E20000-0x0000000000F43000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-30-0x0000000000B30000-0x0000000000C53000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-38-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral1/memory/1692-37-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral1/memory/2492-22-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral1/memory/2492-21-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2492	4.exe
1692	4.exe

Loads dropped DLL 6 IoCs

pid	Process
2456	8e181beb277e9c40d3028f2c8efaf55f.exe
2456	8e181beb277e9c40d3028f2c8efaf55f.exe
2492	4.exe
2456	8e181beb277e9c40d3028f2c8efaf55f.exe
2456	8e181beb277e9c40d3028f2c8efaf55f.exe
1692	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e181beb277e9c40d3028f2c8efaf55f.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	4.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 2492	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	28
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29
PID 2456 wrote to memory of 1692	2456	8e181beb277e9c40d3028f2c8efaf55f.exe	29

C:\Users\Admin\AppData\Local\Temp\8e181beb277e9c40d3028f2c8efaf55f.exe
"C:\Users\Admin\AppData\Local\Temp\8e181beb277e9c40d3028f2c8efaf55f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt

Filesize
52B

MD5
f2d7b9cfb1d27a46856f55570efba5ee

SHA1
b6878495dc20296df54fce2ef62e73b09995067d

SHA256
82cae14a554a9bca7ae814e8e0e303a90f9feaf1f00d54c9b791163484e61464

SHA512
ee4e6d9ddfb221d7ac4180524648365080cf0526b31ac3ce0fc3d1dd2e1efea55778e43c25783fd838c0c3c4ea2ab539844ae12c93e645e50682881053b1df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
104KB

MD5
9e273ddeb7885641581b7f91cbd3d40a

SHA1
20e30a90e0f01fc09398c5f6e5aecbbf3177ebeb

SHA256
55dce8b7567f57ec7e4b828c60368b5f2bb6e931fc656dc349c100ff4ca10608

SHA512
adef26f16ca3f8f9f76f647ddeab3bc34243c13d6fa19a9666dec1381547b5e2b35e171bb0a752eec963d9bbe1526cd523ecd8143c7253fbb97935edf285d166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
42KB

MD5
28077eae8ad5f24e0b78edc5e52b5b31

SHA1
a1a96660801c26fe6a177a8c04922c6406115718

SHA256
180e8c9a2f0abbb57687460f891f7e726bef019deefc1cba931d1fedbe568102

SHA512
cf18659644ed242ddcfec401e4e7ad76aa93a41cba3589fa4c5429d6a5eaf468d7c08fe2c302ac57a7eb3069e8f4a07361438e5f0cf7e74e16083ca12d48a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
141KB

MD5
e6a45c53240b32ec72809a120a5956ce

SHA1
0b05fc809e4fe6de6a6d99c95816a75dcda4b8e0

SHA256
81a7d2cd0049d09e9ec9bd4ca1254ac472a2c35a4d382fa12b88a26002f74d01

SHA512
bc81c421c115dc09f29b3bc715352efc4c0317999f48cc7561009c13e886fb26cc62e642c0729a74ad26e702f7e8a88a7e3b6ef512b2362f8c2348d65386e55d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
110KB

MD5
4b7da72125cd7ba1b7078bece3ef41db

SHA1
d4e7a1d5f4693fea7d7b2c8eb2082042a8292e97

SHA256
f55fa769febd359130d607ccae4c2d6816ba05b9dc4e5724bb9e46bf5779867b

SHA512
c9d7eea37c65c1170cfa0d1034822e9145dd2d705a624bd0daa3b7aa0c4d59f9267e8562996fde2b0c6d66edb35df96b2b1220dc1677c6204617df02a196fe25

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
360KB

MD5
ef1e35296954203bd8f944ba5b14bd83

SHA1
bd37210fb05a8449b0ad460f4470942d588d159c

SHA256
a1b107d428e1a1c8a935d45d3b9ac1e37521d5f131afcd66940d17c02614530f

SHA512
cf4b136b30e5a5d20bdf4600c55320bd720bf738e8364f7af7fd4a25977b4455b7619460ed8a2ff9aae8511adea2e4023f506a1b1ff8b409859f09a5e31c2316

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
45KB

MD5
df108675a315789117f2a01a99fc4926

SHA1
a98fd17a6bbe097a602af44abacbc4e0dd8637c9

SHA256
57be87fc5793e74ceb0dc021707616623f2a58b768bec04026d094cdd2a35299

SHA512
55fe54e75e1cdef85218b421e6a79662e8d9a93dd558bb76984f6abb3d91271e8d40e5f0c08f16b354ff116521308ccfa8e3886296a35f5bd2f51fac6b313b20

Download Submit
memory/1692-37-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1692-38-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1692-34-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1692-30-0x0000000000B30000-0x0000000000C53000-memory.dmp

Filesize
1.1MB

Download
memory/2456-9-0x0000000000E20000-0x0000000000F43000-memory.dmp

Filesize
1.1MB

Download
memory/2456-25-0x0000000000E20000-0x0000000000F43000-memory.dmp

Filesize
1.1MB

Download
memory/2456-27-0x0000000000E20000-0x0000000000F43000-memory.dmp

Filesize
1.1MB

Download
memory/2492-13-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-12-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-17-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-16-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-14-0x0000000000920000-0x0000000000A43000-memory.dmp

Filesize
1.1MB

Download
memory/2492-19-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2492-22-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-21-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/2492-18-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads