modiloader | cb67844c1988b0738263573ebf7a2a2bf477ecfb9c2a51f3c65d586d17be9d18

General

Target

8e181beb277e9c40d3028f2c8efaf55f.exe
Size

436KB
MD5

8e181beb277e9c40d3028f2c8efaf55f
SHA1

a5b27d262a2fb59d941cb1a6ca6c6fbf15210a83
SHA256

cb67844c1988b0738263573ebf7a2a2bf477ecfb9c2a51f3c65d586d17be9d18
SHA512

768a6e39dbe49b1f537680f8aa241fc4b434dbcdf5569b4df8eef4ac5a02ec95caaf66e52d2abebcd0472bb515c22e450a92d1999990d2c0ad1991165889b50d
SSDEEP

6144:N1GWAE41wXoMpK8tFCQqztvtrEKlYuhRdUnTWEpFVoo2Uq1JXEKqRg6z/mGxUhIF:NYEj5tFi5Fr9lYI8LjUH5S1xUyH

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/416-14-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral2/memory/416-17-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral2/memory/1148-27-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2
behavioral2/memory/1148-24-0x0000000000400000-0x0000000000522040-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
416	4.exe
1148	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e181beb277e9c40d3028f2c8efaf55f.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	4.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 416	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	84
PID 4968 wrote to memory of 416	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	84
PID 4968 wrote to memory of 416	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	84
PID 416 wrote to memory of 2296	416	4.exe	85
PID 416 wrote to memory of 2296	416	4.exe	85
PID 4968 wrote to memory of 1148	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	86
PID 4968 wrote to memory of 1148	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	86
PID 4968 wrote to memory of 1148	4968	8e181beb277e9c40d3028f2c8efaf55f.exe	86
PID 1148 wrote to memory of 2752	1148	4.exe	87
PID 1148 wrote to memory of 2752	1148	4.exe	87

C:\Users\Admin\AppData\Local\Temp\8e181beb277e9c40d3028f2c8efaf55f.exe
"C:\Users\Admin\AppData\Local\Temp\8e181beb277e9c40d3028f2c8efaf55f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt

Filesize
52B

MD5
f2d7b9cfb1d27a46856f55570efba5ee

SHA1
b6878495dc20296df54fce2ef62e73b09995067d

SHA256
82cae14a554a9bca7ae814e8e0e303a90f9feaf1f00d54c9b791163484e61464

SHA512
ee4e6d9ddfb221d7ac4180524648365080cf0526b31ac3ce0fc3d1dd2e1efea55778e43c25783fd838c0c3c4ea2ab539844ae12c93e645e50682881053b1df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
360KB

MD5
ef1e35296954203bd8f944ba5b14bd83

SHA1
bd37210fb05a8449b0ad460f4470942d588d159c

SHA256
a1b107d428e1a1c8a935d45d3b9ac1e37521d5f131afcd66940d17c02614530f

SHA512
cf4b136b30e5a5d20bdf4600c55320bd720bf738e8364f7af7fd4a25977b4455b7619460ed8a2ff9aae8511adea2e4023f506a1b1ff8b409859f09a5e31c2316

Download Submit
memory/416-12-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-8-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-10-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-11-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-6-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-13-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/416-14-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-16-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/416-17-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/416-5-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1148-27-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1148-24-0x0000000000400000-0x0000000000522040-memory.dmp

Filesize
1.1MB

Download
memory/1148-29-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads