modiloader | 338c220997baa0485c25470cde2f7c2d4ef75160eb873192a5365a2e0e8f715c

General

Target

XClient.exe
Size

102KB
MD5

5e24357f522943541ff27ef9b9bb562a
SHA1

61866fdd5e79a11c867b47d76c15db24e785ecd2
SHA256

338c220997baa0485c25470cde2f7c2d4ef75160eb873192a5365a2e0e8f715c
SHA512

658d3d5951a239ecd409a567d59b59db009ac4c86dc2a1b92eaab32ae568410c8262901b1acfc4eae486f39adb0d374a533f227649fccc94193a6b849929df59
SSDEEP

1536:eqyNVGF7YnjFF8pNhgUGSL1bWZR9/CJbZT6YdaOpYYVfccAvizZuvdigE:SV/njFF8r5fbWZR+54OpYJ1quvdiv

Score

10^/10

modiloader xworm aspackv2 execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

subjects-handbook.gl.at.ply.gg:56071

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2804-1-0x00000000003F0000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/files/0x000d000000014fe1-35.dat	family_xworm
behavioral1/memory/1368-37-0x0000000001300000-0x0000000001320000-memory.dmp	family_xworm

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2580-44-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-46-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2856	powershell.exe
2524	powershell.exe
2516	powershell.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000f00000000f680-42.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
1368	svchost.exe
2580	qeoqhq.exe
2792	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2524	powershell.exe
2516	powershell.exe
2392	powershell.exe
2856	powershell.exe
2804	XClient.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	XClient.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2804	XClient.exe
Token: SeDebugPrivilege	1368	svchost.exe
Token: SeDebugPrivilege	2792	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	XClient.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2524	2804	XClient.exe	29
PID 2804 wrote to memory of 2524	2804	XClient.exe	29
PID 2804 wrote to memory of 2524	2804	XClient.exe	29
PID 2804 wrote to memory of 2516	2804	XClient.exe	31
PID 2804 wrote to memory of 2516	2804	XClient.exe	31
PID 2804 wrote to memory of 2516	2804	XClient.exe	31
PID 2804 wrote to memory of 2392	2804	XClient.exe	33
PID 2804 wrote to memory of 2392	2804	XClient.exe	33
PID 2804 wrote to memory of 2392	2804	XClient.exe	33
PID 2804 wrote to memory of 2856	2804	XClient.exe	35
PID 2804 wrote to memory of 2856	2804	XClient.exe	35
PID 2804 wrote to memory of 2856	2804	XClient.exe	35
PID 2804 wrote to memory of 576	2804	XClient.exe	37
PID 2804 wrote to memory of 576	2804	XClient.exe	37
PID 2804 wrote to memory of 576	2804	XClient.exe	37
PID 2008 wrote to memory of 1368	2008	taskeng.exe	42
PID 2008 wrote to memory of 1368	2008	taskeng.exe	42
PID 2008 wrote to memory of 1368	2008	taskeng.exe	42
PID 2804 wrote to memory of 2580	2804	XClient.exe	43
PID 2804 wrote to memory of 2580	2804	XClient.exe	43
PID 2804 wrote to memory of 2580	2804	XClient.exe	43
PID 2804 wrote to memory of 2580	2804	XClient.exe	43
PID 2008 wrote to memory of 2792	2008	taskeng.exe	44
PID 2008 wrote to memory of 2792	2008	taskeng.exe	44
PID 2008 wrote to memory of 2792	2008	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:576
- C:\Users\Admin\AppData\Local\Temp\qeoqhq.exe
  "C:\Users\Admin\AppData\Local\Temp\qeoqhq.exe"
  2⤵
  - Executes dropped EXE
  PID:2580

C:\Windows\system32\taskeng.exe
taskeng.exe {DCB13A86-14E9-4352-A74D-82069B169E3B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qeoqhq.exe

Filesize
699KB

MD5
81dd862410af80c9d2717af912778332

SHA1
8f1df476f58441db5973ccfdc211c8680808ffe1

SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

SHA512
8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8ce6a92e9e2a3fa61ec92ea70ce38cf4

SHA1
f92cc5b2714cec1dade4ced6b4aeae0ede67fd96

SHA256
7d144bcd5adaa401271fdc36785ca69c34272c59fbc4d7c0341b87b84aa386df

SHA512
bc567973efec38971a0eaff2efd1faed8b599e45cc4f4279b791f99abf633a12d2ba37a68c83751409709447c842df6e67b0b8d6e9695f6b343a97eec31e0f0f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
102KB

MD5
5e24357f522943541ff27ef9b9bb562a

SHA1
61866fdd5e79a11c867b47d76c15db24e785ecd2

SHA256
338c220997baa0485c25470cde2f7c2d4ef75160eb873192a5365a2e0e8f715c

SHA512
658d3d5951a239ecd409a567d59b59db009ac4c86dc2a1b92eaab32ae568410c8262901b1acfc4eae486f39adb0d374a533f227649fccc94193a6b849929df59

Download Submit
memory/1368-37-0x0000000001300000-0x0000000001320000-memory.dmp

Filesize
128KB

Download
memory/2516-14-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2524-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2524-7-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-43-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2580-44-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2580-46-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2804-31-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2804-32-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads