modiloader | 745c2ebd15d66fa5f5a900c03d8f0c6d8bbc9f6e2b6d9ccfeed52cc7fd25bc42

General

Target

sss.exe
Size

108KB
MD5

c966db1f910185819f5ddec4eb437e4f
SHA1

b59d46d6f84b5062f15d9a5b518d68a9e77b4e66
SHA256

4ffe19677b72eb2d3ecbc9ee9ade77413b48cc6189776a704b9e114fb05c8860
SHA512

0a6ece3f6a4513597fbac5405da61f775e60741ce24c56223f8a79c2d653850546fc5efb9d65a217cfa33cab1f6ff52e56f7ef51212c0713797edcceb99dd89c
SSDEEP

3072:hoy8j7VnNdrPHaSekwi+mW+2fnp/Viout:x8jZ7rvaU3+mWrPp/VioS

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

ModiLoader Second Stage 17 IoCs

Processes:

resource	yara_rule
behavioral6/memory/2708-11-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-12-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-28-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-31-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-32-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-35-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-38-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-41-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-44-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-47-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-50-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-53-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-56-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-59-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-62-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-65-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral6/memory/4320-68-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sss.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation sss.exe
Executes dropped EXE 1 IoCs

Processes:

mstwain32.exe

pid process

4320 mstwain32.exe
Loads dropped DLL 4 IoCs

Processes:

mstwain32.exe

pid process

4320 mstwain32.exe
4320 mstwain32.exe
4320 mstwain32.exe
4320 mstwain32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	sss.exe

pid	process
4320	mstwain32.exe

pid	process
4320	mstwain32.exe
4320	mstwain32.exe
4320	mstwain32.exe
4320	mstwain32.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/2708-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
C:\Windows\mstwain32.exe	upx
behavioral6/memory/2708-11-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-12-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-28-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-31-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-32-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-35-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-38-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-41-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-44-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-47-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-50-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-53-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-56-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-59-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-62-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral6/memory/4320-68-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mstwain32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mstwain32.exesss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

Drops file in Windows directory 4 IoCs

Processes:

sss.exemstwain32.exe

description	ioc	process
File created	C:\Windows\mstwain32.exe	sss.exe
File opened for modification	C:\Windows\mstwain32.exe	sss.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

sss.exemstwain32.exe

description pid process

Token: SeDebugPrivilege 2708 sss.exe
Token: SeDebugPrivilege 4320 mstwain32.exe
Token: SeDebugPrivilege 4320 mstwain32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mstwain32.exe

pid process

4320 mstwain32.exe
4320 mstwain32.exe

description	pid	process
Token: SeDebugPrivilege	2708	sss.exe
Token: SeDebugPrivilege	4320	mstwain32.exe
Token: SeDebugPrivilege	4320	mstwain32.exe

pid	process
4320	mstwain32.exe
4320	mstwain32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sss.exe

description	pid	process	target process
PID 2708 wrote to memory of 4320	2708	sss.exe	mstwain32.exe
PID 2708 wrote to memory of 4320	2708	sss.exe	mstwain32.exe
PID 2708 wrote to memory of 4320	2708	sss.exe	mstwain32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mstwain32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\sss.exe
"C:\Users\Admin\AppData\Local\Temp\sss.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmsetac.dll

Filesize
33KB

MD5
bbebb94078b2bf9a48387ccb56549766

SHA1
2a6ec9be52ef04524344a113865457fb20d41029

SHA256
4153d49dc3fe9a6ec6799594bf52df73556d1dab04f6f4a1a7563c4d108d0ac3

SHA512
149375345ca570ecc3a383be0c6cbc2b976c343bf3f3845d885f961a5151eb55cf53e68273d4a856c0f109b15bf6795374875254629bcf111944eed51028b18f

Download Submit
C:\Windows\mstwain32.exe

Filesize
108KB

MD5
c966db1f910185819f5ddec4eb437e4f

SHA1
b59d46d6f84b5062f15d9a5b518d68a9e77b4e66

SHA256
4ffe19677b72eb2d3ecbc9ee9ade77413b48cc6189776a704b9e114fb05c8860

SHA512
0a6ece3f6a4513597fbac5405da61f775e60741ce24c56223f8a79c2d653850546fc5efb9d65a217cfa33cab1f6ff52e56f7ef51212c0713797edcceb99dd89c

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2708-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2708-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2708-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-29-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/4320-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-20-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4320-27-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4320-28-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-30-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/4320-12-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-31-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-24-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/4320-44-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads