modiloader | e9e96bfcecf2f4fdc536cb0e8b1b2a08cb660f4b73a87099deeb7cbf0cb62210

General

Target

l2c.exe
Size

9.5MB
MD5

de62c328c41a5001cf64d9211d86b521
SHA1

be7ccc7eaf87513a4042572f070fe2d0a400a044
SHA256

fa6689da04dca6a996abc167acfdb85e7b4e16cd70cf24f6e2b0b6f5a80e40a8
SHA512

1599aac2b0a4a7275f9785832a33e33c08557cbc199d98f9c095e51ca6b1172930a88a848a482de74fa878cb751a2ba07563f24478251191fc64cab4e9f1a25c
SSDEEP

98304:BmGVKzTGQfyx5BAAYQhN/P732eAbipaQDOZc/nESQ8HzNQo:4GcyxvdGeAboM8HK

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 9 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2704-9-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1
behavioral4/memory/2704-12-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1
behavioral4/memory/4784-16-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage1
behavioral4/memory/2704-18-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1
behavioral4/memory/2704-19-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1
behavioral4/memory/4784-21-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage1
behavioral4/memory/2704-22-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1
behavioral4/memory/4784-23-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage1
behavioral4/memory/2704-25-0x0000000000400000-0x0000000000D7C000-memory.dmp	modiloader_stage1

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

l2c.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation l2c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	l2c.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/2704-9-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx
behavioral4/memory/2704-12-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx
behavioral4/memory/4784-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral4/memory/4784-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral4/memory/2704-18-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx
behavioral4/memory/2704-19-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx
behavioral4/memory/4784-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral4/memory/2704-22-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx
behavioral4/memory/4784-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral4/memory/2704-25-0x0000000000400000-0x0000000000D7C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

l2c.exe

description ioc process

File opened for modification C:\Windows\l2control.ini l2c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

l2cserv.exel2c.exe

pid process

4784 l2cserv.exe
4784 l2cserv.exe
4784 l2cserv.exe
2704 l2c.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

l2cserv.exel2c.exe

pid process

4784 l2cserv.exe
4784 l2cserv.exe
4784 l2cserv.exe
2704 l2c.exe

description	ioc	process
File opened for modification	C:\Windows\l2control.ini	l2c.exe

pid	process
4784	l2cserv.exe
4784	l2cserv.exe
4784	l2cserv.exe
2704	l2c.exe

pid	process
4784	l2cserv.exe
4784	l2cserv.exe
4784	l2cserv.exe
2704	l2c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

l2c.exe

description	pid	process	target process
PID 2704 wrote to memory of 4784	2704	l2c.exe	l2cserv.exe
PID 2704 wrote to memory of 4784	2704	l2c.exe	l2cserv.exe
PID 2704 wrote to memory of 4784	2704	l2c.exe	l2cserv.exe

C:\Users\Admin\AppData\Local\Temp\l2c.exe
"C:\Users\Admin\AppData\Local\Temp\l2c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\l2cserv.exe
"C:\Users\Admin\AppData\Local\Temp\l2cserv.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\l2control.ini
Filesize
41B

MD5
261262211c98a3a0cd0c2ba3aa91c2f8

SHA1
e5b351c13aac365e184fa612b4f672a0d816aed2

SHA256
492180baaa03011b6016f7e577adde611bde854a73fcf71fcc5c6e1496345ba6

SHA512
206cebe54d1416e885c6cf419372ec046c33caf2f59a35e60d19b8b6089f22dfe3d35f89f0ef4a85fbdd5ff2dabbab6cc08ce7868bf2d976f192da223a116cb5

Download Submit
memory/2704-12-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/2704-10-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2704-9-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/2704-11-0x00000000004C5000-0x00000000004C6000-memory.dmp

Filesize
4KB

Download
memory/2704-18-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/2704-19-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/2704-20-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2704-22-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/2704-25-0x0000000000400000-0x0000000000D7C000-memory.dmp

Filesize
9.5MB

Download
memory/4784-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4784-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4784-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4784-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads