modiloader | eed43c12866f5d2d70382ccd10a07670e4b935885a3dbf375da38b8924339b0d

General

Target

Solara v2.exe
Size

230KB
MD5

2c97e31fdc209f1ae51f1dc93a7993a7
SHA1

fc6214f6e91809aaf29fa39cc6a0ebd09fa35909
SHA256

eed43c12866f5d2d70382ccd10a07670e4b935885a3dbf375da38b8924339b0d
SHA512

17d0b2244ceeb9d0d7cc75529a071bf4208b8b8b7d77d69f4639e5f2c2c8e66f81fc5a49689741caae9967a23877e0841f4aeb139471bd46f5ba95cdb9b6a415
SSDEEP

3072:H/FnmqDWX+bSdKsmCOEtrH8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9Nz8:nDWub5kUhcX7elbKTua9bfF/H9d9n

Score

10^/10

modiloader xworm execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

C2

takes-stewart.gl.at.ply.gg:61176

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1780-0-0x0000000000100000-0x000000000013E000-memory.dmp	family_xworm

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4632-71-0x0000000000400000-0x00000000004EC000-memory.dmp	modiloader_stage1

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3788 powershell.exe
1724 powershell.exe
3444 powershell.exe
4136 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Solara v2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara v2.exe

Executes dropped EXE 2 IoCs

Processes:

izboyr.exeahtpsw.exe

pid process

4632 izboyr.exe
416 ahtpsw.exe

pid	process
4632	izboyr.exe
416	ahtpsw.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe	upx
behavioral2/memory/416-82-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/416-84-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Solara v2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Solara v2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Solara v2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings Solara v2.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

184 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Solara v2.exe

pid	process
184	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeSolara v2.exe

pid	process
3788	powershell.exe
3788	powershell.exe
1724	powershell.exe
1724	powershell.exe
3444	powershell.exe
3444	powershell.exe
4136	powershell.exe
4136	powershell.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe
1780	Solara v2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Solara v2.exe

pid process

1780 Solara v2.exe

pid	process
1780	Solara v2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Solara v2.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1780	Solara v2.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	1780	Solara v2.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

izboyr.exe

pid process

4632 izboyr.exe
4632 izboyr.exe
4632 izboyr.exe
4632 izboyr.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

izboyr.exe

pid process

4632 izboyr.exe
4632 izboyr.exe
4632 izboyr.exe
4632 izboyr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Solara v2.exe

pid process

1780 Solara v2.exe

pid	process
4632	izboyr.exe
4632	izboyr.exe
4632	izboyr.exe
4632	izboyr.exe

pid	process
4632	izboyr.exe
4632	izboyr.exe
4632	izboyr.exe
4632	izboyr.exe

pid	process
1780	Solara v2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Solara v2.exe

description	pid	process	target process
PID 1780 wrote to memory of 3788	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 3788	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 1724	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 1724	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 3444	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 3444	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 4136	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 4136	1780	Solara v2.exe	powershell.exe
PID 1780 wrote to memory of 184	1780	Solara v2.exe	NOTEPAD.EXE
PID 1780 wrote to memory of 184	1780	Solara v2.exe	NOTEPAD.EXE
PID 1780 wrote to memory of 4632	1780	Solara v2.exe	izboyr.exe
PID 1780 wrote to memory of 4632	1780	Solara v2.exe	izboyr.exe
PID 1780 wrote to memory of 4632	1780	Solara v2.exe	izboyr.exe
PID 1780 wrote to memory of 416	1780	Solara v2.exe	ahtpsw.exe
PID 1780 wrote to memory of 416	1780	Solara v2.exe	ahtpsw.exe
PID 1780 wrote to memory of 416	1780	Solara v2.exe	ahtpsw.exe

C:\Users\Admin\AppData\Local\Temp\Solara v2.exe
"C:\Users\Admin\AppData\Local\Temp\Solara v2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara v2.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara v2.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\zaikyf.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:184

C:\Users\Admin\AppData\Local\Temp\izboyr.exe
"C:\Users\Admin\AppData\Local\Temp\izboyr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4632

C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe
"C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe"
2⤵
- Executes dropped EXE
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9a5ef76c73621cc9a3e30180f27825f7

SHA1
2b081cba98c0b0fb51bdb65fc09c193220d79af6

SHA256
085c206c5bc578804a88e4c6daf8535a95ecb7d8c0356ff2f193b268bf6a7aae

SHA512
14f2cc01b5cb014d19e8a142c5e31295b973851837953b0a98072c1de67ca5348f4b5b1e3ca4329711ef9e37da4add77d943e25087fcb394f39391f840049539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk4nmew1.gn2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahtpsw.exe
Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\AppData\Local\Temp\izboyr.exe
Filesize
359KB

MD5
b65fc413c4af96d84822e39ce969942a

SHA1
eaa176253f3b91ef6094221403362c8c51dff572

SHA256
dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c

SHA512
3e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaikyf.txt
Filesize
16KB

MD5
d4d466d40994b9fd8cfa52719940bed4

SHA1
ce647a759452ebcc6e86313a53cb5882d6c53056

SHA256
1460adcdb3978b76a832ea1d0557effe6912d02e342f869ee30dedb151f32350

SHA512
c4b6258bfd79aebc7afa04cf69300108de67f41613e37d650fbed55666669bc35b1483c2b873e49d83d080582ecbe7b55462e7fb488c231dfd4d875f991004b1

Download Submit
memory/416-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/416-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1780-58-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-53-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-54-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

Filesize
8KB

Download
memory/1780-1-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

Filesize
8KB

Download
memory/1780-0-0x0000000000100000-0x000000000013E000-memory.dmp

Filesize
248KB

Download
memory/3788-17-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-14-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-13-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-12-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3788-7-0x000001B6935A0000-0x000001B6935C2000-memory.dmp

Filesize
136KB

Download
memory/4632-70-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4632-71-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads