modiloader | 28a1e5b98c9b890026a9712ceabf90bc227750f5616d9d4b19f5c404d864db1f

General

Target

TheWarz-Crack.exe
Size

1.2MB
MD5

6b035800be70ccbedd9154a9ae57d03b
SHA1

c7de2eba384c891723b4a17753ee00129f5fe973
SHA256

e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de
SHA512

1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7
SSDEEP

24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq

Score

10^/10

modiloader njrat evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/680-17-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral2/memory/680-20-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral2/memory/680-21-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe	modiloader_stage2
behavioral2/memory/680-51-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2
behavioral2/memory/4580-59-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/680-50-0x0000000000400000-0x00000000052E8000-memory.dmp	modiloader_stage2
behavioral2/memory/1652-91-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1452 netsh.exe

pid	process
1452	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

M.exeFB_3303.tmp.exeFB_2844.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	M.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FB_3303.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FB_2844.tmp.exe

Drops startup file 2 IoCs

Processes:

TheWarz-Crack-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ff3a911dbfff7e34d508efdb7eca614.exe	TheWarz-Crack-1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ff3a911dbfff7e34d508efdb7eca614.exe	TheWarz-Crack-1.exe

Executes dropped EXE 7 IoCs

Processes:

M.exeM.exeFB_2844.tmp.exeFB_3303.tmp.exeFB_3381.tmp.exeWrnia.exeTheWarz-Crack-1.exe

pid process

876 M.exe
680 M.exe
232 FB_2844.tmp.exe
4580 FB_3303.tmp.exe
2300 FB_3381.tmp.exe
1652 Wrnia.exe
4124 TheWarz-Crack-1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TheWarz-Crack.exeWrnia.exeTheWarz-Crack-1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TheWarz-Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wrnia = "C:\\Users\\Admin\\AppData\\Roaming\\Wrnia.exe"	Wrnia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .."	TheWarz-Crack-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .."	TheWarz-Crack-1.exe

Drops file in System32 directory 2 IoCs

Processes:

FB_3381.tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\accessibilitycpI.dll	FB_3381.tmp.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpI.dll	FB_3381.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

M.exe

description pid process target process

PID 876 set thread context of 680 876 M.exe M.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 876 set thread context of 680	876	M.exe	M.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

M.exeFB_3381.tmp.exe

pid	process
876	M.exe
876	M.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe
2300	FB_3381.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FB_3381.tmp.exeTheWarz-Crack-1.exe

description pid process

Token: SeDebugPrivilege 2300 FB_3381.tmp.exe
Token: SeDebugPrivilege 4124 TheWarz-Crack-1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

M.exe

pid process

876 M.exe
876 M.exe

description	pid	process
Token: SeDebugPrivilege	2300	FB_3381.tmp.exe
Token: SeDebugPrivilege	4124	TheWarz-Crack-1.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

TheWarz-Crack.exeM.exeM.exeFB_3303.tmp.exeFB_2844.tmp.exeTheWarz-Crack-1.exe

description	pid	process	target process
PID 3256 wrote to memory of 876	3256	TheWarz-Crack.exe	M.exe
PID 3256 wrote to memory of 876	3256	TheWarz-Crack.exe	M.exe
PID 3256 wrote to memory of 876	3256	TheWarz-Crack.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 876 wrote to memory of 680	876	M.exe	M.exe
PID 680 wrote to memory of 232	680	M.exe	FB_2844.tmp.exe
PID 680 wrote to memory of 232	680	M.exe	FB_2844.tmp.exe
PID 680 wrote to memory of 232	680	M.exe	FB_2844.tmp.exe
PID 680 wrote to memory of 4580	680	M.exe	FB_3303.tmp.exe
PID 680 wrote to memory of 4580	680	M.exe	FB_3303.tmp.exe
PID 680 wrote to memory of 4580	680	M.exe	FB_3303.tmp.exe
PID 680 wrote to memory of 2300	680	M.exe	FB_3381.tmp.exe
PID 680 wrote to memory of 2300	680	M.exe	FB_3381.tmp.exe
PID 680 wrote to memory of 2300	680	M.exe	FB_3381.tmp.exe
PID 4580 wrote to memory of 1652	4580	FB_3303.tmp.exe	Wrnia.exe
PID 4580 wrote to memory of 1652	4580	FB_3303.tmp.exe	Wrnia.exe
PID 4580 wrote to memory of 1652	4580	FB_3303.tmp.exe	Wrnia.exe
PID 232 wrote to memory of 4124	232	FB_2844.tmp.exe	TheWarz-Crack-1.exe
PID 232 wrote to memory of 4124	232	FB_2844.tmp.exe	TheWarz-Crack-1.exe
PID 232 wrote to memory of 4124	232	FB_2844.tmp.exe	TheWarz-Crack-1.exe
PID 4124 wrote to memory of 1452	4124	TheWarz-Crack-1.exe	netsh.exe
PID 4124 wrote to memory of 1452	4124	TheWarz-Crack-1.exe	netsh.exe
PID 4124 wrote to memory of 1452	4124	TheWarz-Crack-1.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe
"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe" "TheWarz-Crack-1.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1452

C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Roaming\Wrnia.exe
"C:\Users\Admin\AppData\Roaming\Wrnia.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1652

C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exe
Filesize
29KB

MD5
614ee07b628e4994d4d7f1b9beda6ece

SHA1
0171581e8d76d2d922027f4f072cff8215c55abb

SHA256
b4458b76c0ade6678ac78a74dfa38dff4125d39210717b2c2bdd271bdd733cef

SHA512
c279ff78b25f40bde2f64ab33ba5a2b9b4046e68a4e2089121118173930eaab813f48e8a30f569b25a316c79cc4e42df18df8c219a258096d5ce9359f007e001

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe
Filesize
36KB

MD5
bc31fb751e47491430d909c72c5529c9

SHA1
c1a5925786cf7729d04f765cd1cd47fab5ddcf95

SHA256
aecbf1535c7be968369ce966f8478cc55dd311f122565f5ee7d627cd302f4921

SHA512
03af1955cd15bf239a1e3ec768f66320b17a84e06d977fa3aa1aa1e1b7c03db78e10a6e8d94ffa504b56fc649722a3fd6dcbec95335d888d20c2ade989a8355d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exe
Filesize
723KB

MD5
ca554c5962d17073e7ce0e65e505158c

SHA1
5d09fe7bac713a0e03b3b1322019f86dd10a2c9e

SHA256
448565c452f2c88c73061548aa46c1dbdc281567dffc2abec39e7eb177f230cb

SHA512
969408b0975c6e0288b3bd5e5521fa092712d8cc9fe23f9166751d0f1e2f5c570712bc91c8602c0474dd0c6a2ef52975b06736295dca7f9d9fbb7a8da2fc8b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_
Filesize
851KB

MD5
4c687cafefcab325c62847a3910c71a9

SHA1
882409e2d437758967ffbe8d9740dd35a86e95c6

SHA256
fb635a07236ad5395238b0e18ba87f60264d93bc8a2e13805b661f528a185793

SHA512
97b730f00751df1a41670b079c1f784709f8ce79b3eaece05be0007ddb8f8566876a93b21be459dbb9f91e265b45c88565dda3a1e7501a4f63b2b7255a9cd5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
Filesize
716KB

MD5
aa8a27f555ba52a3057d1ebd59e51193

SHA1
fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f

SHA256
09cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2

SHA512
04bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3

Download Submit
C:\Windows\SysWOW64\accessibilitycpI.dll
Filesize
302KB

MD5
0d313a81c8b3b25e58ea49359242bea4

SHA1
7d9e242e418a982f248f9981b10b64830d67d802

SHA256
3000f91791e0b3331ccc130d0bc5d94b2ae5fc529b3924a2e97002e3251d926b

SHA512
63f9bef6ad11372b241b5e679c63c2164e21073f8a99b7442d89e301b017e5e2f0c344ef3df0227506837816c86e7539899a9c1499cefa0b18c257f8f87837a7

Download Submit
memory/680-51-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/680-20-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/680-17-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/680-50-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/680-21-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/876-7-0x0000000002280000-0x0000000002282000-memory.dmp

Filesize
8KB

Download
memory/876-14-0x00000000022A0000-0x00000000022A5000-memory.dmp

Filesize
20KB

Download
memory/1652-91-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2300-60-0x0000000000850000-0x000000000090A000-memory.dmp

Filesize
744KB

Download
memory/2300-62-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/2300-63-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/2300-73-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/2300-74-0x0000000005380000-0x00000000053D6000-memory.dmp

Filesize
344KB

Download
memory/2300-61-0x00000000051A0000-0x000000000523C000-memory.dmp

Filesize
624KB

Download
memory/4580-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads