modiloader | f22e1cfd78acc5c944dbfa4b4333349c603536637b3f10ed8022719832abff1c

General

Target

VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
Size

290KB
MD5

1ecb75f61811c8ba509fcecb959fc960
SHA1

ff350f0885fd1bf43b3649c5e10bd7c6b8c63c93
SHA256

f22e1cfd78acc5c944dbfa4b4333349c603536637b3f10ed8022719832abff1c
SHA512

2a808a060a288713cd0b95e4c490ea956caa1824a134ed26547af13fc77f2e95af8e6b2dff3e8d6bf1b79f2730dcee148003c69c100ff761cc4365476b1c6914
SSDEEP

6144:DVU3YK6TaVsZuR2gdELS8YazyamrwNXEjtEHgZVcoMiVejeuSN0teQBw2B:q3bVVDuLJBBWwN8W8KoISN0w0w2B

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe	modiloader_stage2
behavioral1/memory/3032-19-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

winlocker_builder V0.4.exe

pid process

3032 winlocker_builder V0.4.exe
Loads dropped DLL 1 IoCs

Processes:

VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe

pid process

2344 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe

pid	process
2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlocker_builder V0.4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlocker_builder V0.4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlocker_builder V0.4.exe"	winlocker_builder V0.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2700 taskkill.exe
2168 taskkill.exe
2572 taskkill.exe
2580 taskkill.exe
2688 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2724 reg.exe

pid	process
2700	taskkill.exe
2168	taskkill.exe
2572	taskkill.exe
2580	taskkill.exe
2688	taskkill.exe

pid	process
2724	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winlocker_builder V0.4.exe

pid	process
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe
3032	winlocker_builder V0.4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlocker_builder V0.4.exe

pid process

3032 winlocker_builder V0.4.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_1ecb75f61811c8ba509fcecb959fc960.execmd.exe

description	pid	process	target process
PID 2344 wrote to memory of 1280	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 2344 wrote to memory of 1280	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 2344 wrote to memory of 1280	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 2344 wrote to memory of 1280	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 2344 wrote to memory of 3032	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 2344 wrote to memory of 3032	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 2344 wrote to memory of 3032	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 2344 wrote to memory of 3032	2344	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 1280 wrote to memory of 2168	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2168	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2168	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2168	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2572	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2572	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2572	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2572	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2580	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2580	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2580	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2580	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2688	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2688	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2688	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2688	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2700	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2700	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2700	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2700	1280	cmd.exe	taskkill.exe
PID 1280 wrote to memory of 2724	1280	cmd.exe	reg.exe
PID 1280 wrote to memory of 2724	1280	cmd.exe	reg.exe
PID 1280 wrote to memory of 2724	1280	cmd.exe	reg.exe
PID 1280 wrote to memory of 2724	1280	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f chrome.exe
3⤵
- Kills process with taskkill
PID:2168

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f ie.exe
3⤵
- Kills process with taskkill
PID:2572

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f firefox.exe
3⤵
- Kills process with taskkill
PID:2580

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f opera.exe
3⤵
- Kills process with taskkill
PID:2688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f safari.exe
3⤵
- Kills process with taskkill
PID:2700

C:\Windows\SysWOW64\reg.exe
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
3⤵
- Modifies registry key
PID:2724

C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe
"C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2872

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build.bat
Filesize
2KB

MD5
a30dc826f8671456185b51426255788a

SHA1
bbd1505ca5479d159db89539beff034581feaa1c

SHA256
155a86cf988ef9304630b6845f14d8774e80126ec77ccb9f8fcdfadef46375d1

SHA512
3641df71589c645b4c3b4f1c5a0c9e6d978c667ea1c4862658102a461e59d2d22c1adb67d22027d34397829c4fca2d6e42be122f66e9fb5cae357a53cfe34ed3

Download Submit
\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe
Filesize
401KB

MD5
d81707fcd4e2b83c4a1371603ffd8fbc

SHA1
e10b7c05a89a57e753873a013745ff4cba11f347

SHA256
63f97cbd440b5f8d31a2d6bf7ca628624e0d24b6b96ae429fdb8a8b85ffce384

SHA512
035685c60bf5875eaafed99daf3d6041d995d295452a1253ed5ab7ad73d25ef6a247fd50ef2c2a278c2378bb45e840bce9897a43dba8b93ad40c8c5b83d235f8

Download Submit
memory/3032-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3032-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads