modiloader | 8f6809da5489c4cfb2dfaec013a35fe99e77174b8c463ea8897238820d32de82

General

Target

b6d1b70101acc223420e27aca2e7416b.exe
Size

515KB
MD5

b6d1b70101acc223420e27aca2e7416b
SHA1

31084a3f8cb1240fd50dec4cb83e01365318e507
SHA256

8f6809da5489c4cfb2dfaec013a35fe99e77174b8c463ea8897238820d32de82
SHA512

318acf02b974be41db0d40b39684b792550c043c3636b7c36170d36add19bed0f9829be32f2a520df1a327e2f8c8dbccf81d159ab19d3d9bcbe0e6f3be37d163
SSDEEP

12288:dupri6XGXQyiuONEih7KLQOJtJ+/l19Xgcbtw7szO8p:du1XIV/ih7UQOc1OawAqQ

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/3396-11-0x00000000005E0000-0x00000000006C2000-memory.dmp	modiloader_stage2
behavioral2/memory/3396-13-0x0000000002ED0000-0x0000000002FBE000-memory.dmp	modiloader_stage2
behavioral2/memory/1624-20-0x00000000005E0000-0x00000000006C2000-memory.dmp	modiloader_stage2
behavioral2/memory/3396-34-0x0000000002ED0000-0x0000000002FBE000-memory.dmp	modiloader_stage2
behavioral2/memory/1624-36-0x0000000004100000-0x00000000041EE000-memory.dmp	modiloader_stage2
behavioral2/memory/1624-44-0x0000000004100000-0x00000000041EE000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002324a-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1624	rejoice81.exe

Loads dropped DLL 4 IoCs

pid	Process
3396	b6d1b70101acc223420e27aca2e7416b.exe
3396	b6d1b70101acc223420e27aca2e7416b.exe
1624	rejoice81.exe
1624	rejoice81.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1356	1624	rejoice81.exe	107

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	b6d1b70101acc223420e27aca2e7416b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	b6d1b70101acc223420e27aca2e7416b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	b6d1b70101acc223420e27aca2e7416b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	1356	WerFault.exe	107

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID	b6d1b70101acc223420e27aca2e7416b.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{4EDB5D3C-5DCA-4C4D-8D89-64C2CF5BD193}	b6d1b70101acc223420e27aca2e7416b.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{4EDB5D3C-5DCA-4C4D-8D89-64C2CF5BD193}\InprocServer64	b6d1b70101acc223420e27aca2e7416b.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID	rejoice81.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{4EDB5D3C-5DCA-4C4D-8D89-64C2CF5BD193}	rejoice81.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{4EDB5D3C-5DCA-4C4D-8D89-64C2CF5BD193}\InprocServer64	rejoice81.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1624	3396	b6d1b70101acc223420e27aca2e7416b.exe	100
PID 3396 wrote to memory of 1624	3396	b6d1b70101acc223420e27aca2e7416b.exe	100
PID 3396 wrote to memory of 1624	3396	b6d1b70101acc223420e27aca2e7416b.exe	100
PID 3396 wrote to memory of 1656	3396	b6d1b70101acc223420e27aca2e7416b.exe	101
PID 3396 wrote to memory of 1656	3396	b6d1b70101acc223420e27aca2e7416b.exe	101
PID 3396 wrote to memory of 1656	3396	b6d1b70101acc223420e27aca2e7416b.exe	101
PID 1624 wrote to memory of 1356	1624	rejoice81.exe	107
PID 1624 wrote to memory of 1356	1624	rejoice81.exe	107
PID 1624 wrote to memory of 1356	1624	rejoice81.exe	107
PID 1624 wrote to memory of 1356	1624	rejoice81.exe	107
PID 1624 wrote to memory of 1356	1624	rejoice81.exe	107
PID 1624 wrote to memory of 5088	1624	rejoice81.exe	108
PID 1624 wrote to memory of 5088	1624	rejoice81.exe	108

C:\Users\Admin\AppData\Local\Temp\b6d1b70101acc223420e27aca2e7416b.exe
"C:\Users\Admin\AppData\Local\Temp\b6d1b70101acc223420e27aca2e7416b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 12
      4⤵
      Program crash
      PID:4844
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1356 -ip 1356
1⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

Filesize
184B

MD5
775e62799e84f1980bdedeff79b49f07

SHA1
744a7a501b52fbe3c9d0fd75ffd55f95cbef4b3f

SHA256
964da3d78d055abac32fb5c6159c266b4841196b8a932d5c742dc9dd5ed31a16

SHA512
9b693158b653319591432e11bc46d8aa278644a12c0cb4e176574caf8de13617bd7d67c39e808b3ca25f647a0080dcad4fe960c1234f4876f9ed08a534d3bec1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice81.exe

Filesize
515KB

MD5
b6d1b70101acc223420e27aca2e7416b

SHA1
31084a3f8cb1240fd50dec4cb83e01365318e507

SHA256
8f6809da5489c4cfb2dfaec013a35fe99e77174b8c463ea8897238820d32de82

SHA512
318acf02b974be41db0d40b39684b792550c043c3636b7c36170d36add19bed0f9829be32f2a520df1a327e2f8c8dbccf81d159ab19d3d9bcbe0e6f3be37d163

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7CB.~dl1

Filesize
40KB

MD5
d3edc808052c5ac43f8c1e86bf5786dd

SHA1
9c8ea3358be4a1a58ed3b357852adb4b94cc7322

SHA256
fbac391403c134d13e2d3ada815b6410658473df934b9ba1bb105aebc6bfa18f

SHA512
7114148b4db7f0b542e1ff4c0003a75a70aa43fa342ccd8e578518590e6f78b01afc440161f70c8c387a0911aa196ee77676548e6e5203b956c1659f64322e2e

Download Submit
memory/1624-44-0x0000000004100000-0x00000000041EE000-memory.dmp

Filesize
952KB

Download
memory/1624-43-0x0000000000560000-0x000000000057F000-memory.dmp

Filesize
124KB

Download
memory/1624-42-0x00000000005E0000-0x00000000006C2000-memory.dmp

Filesize
904KB

Download
memory/1624-39-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/1624-20-0x00000000005E0000-0x00000000006C2000-memory.dmp

Filesize
904KB

Download
memory/1624-29-0x0000000000560000-0x000000000057F000-memory.dmp

Filesize
124KB

Download
memory/1624-36-0x0000000004100000-0x00000000041EE000-memory.dmp

Filesize
952KB

Download
memory/3396-13-0x0000000002ED0000-0x0000000002FBE000-memory.dmp

Filesize
952KB

Download
memory/3396-34-0x0000000002ED0000-0x0000000002FBE000-memory.dmp

Filesize
952KB

Download
memory/3396-33-0x0000000002510000-0x000000000252F000-memory.dmp

Filesize
124KB

Download
memory/3396-32-0x00000000005E0000-0x00000000006C2000-memory.dmp

Filesize
904KB

Download
memory/3396-14-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/3396-0-0x00000000005E0000-0x00000000006C2000-memory.dmp

Filesize
904KB

Download
memory/3396-11-0x00000000005E0000-0x00000000006C2000-memory.dmp

Filesize
904KB

Download
memory/3396-9-0x0000000002510000-0x000000000252F000-memory.dmp

Filesize
124KB

Download
memory/3396-7-0x0000000002510000-0x000000000252F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing