modiloader | ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d

General

Target

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
Size

793KB
MD5

46b556cbf522ce882e1c4fe819b1df06
SHA1

eebc61c027538e381831ae6c7768ea2d94430e52
SHA256

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d
SHA512

a1b5a7d2d67edd96f1d56a9f6bc668d8756794b099efe323c79e0e301af0df26249a39b6be602aede307dcf9c590a112ff08e79f691f0975f1e41dffdf9f9ffe
SSDEEP

12288:olZYc2z1y2dc5AgHQPQjl2d6v752e6tADa4ATouPycl4O8q7ksGq+mTMZxT:olKcIxWYPQjl2s75947zDusGq+mT2

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
F:\system.exe	modiloader_stage2
behavioral1/memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmp	modiloader_stage2
behavioral1/memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2492 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

3032 system.exe

pid	process
2492	cmd.exe

pid	process
3032	system.exe

Loads dropped DLL 5 IoCs

Processes:

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exeWerFault.exe

pid	process
2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
F:\system.exe	upx
behavioral1/memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmp	upx
behavioral1/memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

description	ioc	process
File opened (read-only)	\??\M:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\R:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\S:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\U:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\K:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\G:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\I:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\L:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\P:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\X:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\Z:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\E:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\N:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\Q:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\V:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\W:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\A:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\H:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\J:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\O:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\T:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\Y:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened (read-only)	\??\B:	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

description	ioc	process
File created	F:\AutoRun.inf	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened for modification	F:\AutoRun.inf	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File created	C:\AutoRun.inf	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened for modification	C:\AutoRun.inf	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

Drops file in System32 directory 2 IoCs

Processes:

system.exe

description ioc process

File created C:\Windows\SysWOW64\_system.exe system.exe
File opened for modification C:\Windows\SysWOW64\_system.exe system.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

system.exe

description pid process target process

PID 3032 set thread context of 2540 3032 system.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\_system.exe	system.exe

description	pid	process	target process
PID 3032 set thread context of 2540	3032	system.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2604 3032 WerFault.exe system.exe

pid	pid_target	process	target process
2604	3032	WerFault.exe	system.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exesystem.exe

description	pid	process	target process
PID 2060 wrote to memory of 3032	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	system.exe
PID 2060 wrote to memory of 3032	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	system.exe
PID 2060 wrote to memory of 3032	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	system.exe
PID 2060 wrote to memory of 3032	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	system.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2540	3032	system.exe	calc.exe
PID 3032 wrote to memory of 2604	3032	system.exe	WerFault.exe
PID 3032 wrote to memory of 2604	3032	system.exe	WerFault.exe
PID 3032 wrote to memory of 2604	3032	system.exe	WerFault.exe
PID 3032 wrote to memory of 2604	3032	system.exe	WerFault.exe
PID 2060 wrote to memory of 2492	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	cmd.exe
PID 2060 wrote to memory of 2492	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	cmd.exe
PID 2060 wrote to memory of 2492	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	cmd.exe
PID 2060 wrote to memory of 2492	2060	ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
"C:\Users\Admin\AppData\Local\Temp\ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2060

C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
- Deletes itself
PID:2492

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
Filesize
248B

MD5
5fe98fe3dc9c6c140c8509041ef00f43

SHA1
71f47694c1be60b6f89cb0f859dae52c03b142ed

SHA256
cefe847e32e320630f3a978aabbca298d5b57ba1fda409cebbd03b0676de17fd

SHA512
828c97b6831099b65956fafc5a46ab9bb6dc389dd706b094479da8b58e7583ea9f576f7ef42195d41dd0e10e79ee3ac107cdfb705459fa65b3f06463b5df3520

Download Submit
F:\system.exe
Filesize
793KB

MD5
46b556cbf522ce882e1c4fe819b1df06

SHA1
eebc61c027538e381831ae6c7768ea2d94430e52

SHA256
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d

SHA512
a1b5a7d2d67edd96f1d56a9f6bc668d8756794b099efe323c79e0e301af0df26249a39b6be602aede307dcf9c590a112ff08e79f691f0975f1e41dffdf9f9ffe

Download Submit
memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmp

Filesize
804KB

Download
memory/2060-20-0x0000000001E10000-0x0000000001ED9000-memory.dmp

Filesize
804KB

Download
memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2540-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-25-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads