modiloader | f22e1cfd78acc5c944dbfa4b4333349c603536637b3f10ed8022719832abff1c

General

Target

VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
Size

290KB
MD5

1ecb75f61811c8ba509fcecb959fc960
SHA1

ff350f0885fd1bf43b3649c5e10bd7c6b8c63c93
SHA256

f22e1cfd78acc5c944dbfa4b4333349c603536637b3f10ed8022719832abff1c
SHA512

2a808a060a288713cd0b95e4c490ea956caa1824a134ed26547af13fc77f2e95af8e6b2dff3e8d6bf1b79f2730dcee148003c69c100ff761cc4365476b1c6914
SSDEEP

6144:DVU3YK6TaVsZuR2gdELS8YazyamrwNXEjtEHgZVcoMiVejeuSN0teQBw2B:q3bVVDuLJBBWwN8W8KoISN0w0w2B

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe	modiloader_stage2
behavioral2/memory/2148-15-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe

Executes dropped EXE 1 IoCs

Processes:

winlocker_builder V0.4.exe

pid process

2148 winlocker_builder V0.4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlocker_builder V0.4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlocker_builder V0.4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlocker_builder V0.4.exe"	winlocker_builder V0.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1324 taskkill.exe
1144 taskkill.exe
1856 taskkill.exe
2004 taskkill.exe
2108 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2884 reg.exe

pid	process
1324	taskkill.exe
1144	taskkill.exe
1856	taskkill.exe
2004	taskkill.exe
2108	taskkill.exe

pid	process
2884	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winlocker_builder V0.4.exe

pid	process
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe
2148	winlocker_builder V0.4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

VirusShare_1ecb75f61811c8ba509fcecb959fc960.execmd.exe

description	pid	process	target process
PID 4820 wrote to memory of 4472	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 4820 wrote to memory of 4472	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 4820 wrote to memory of 4472	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	cmd.exe
PID 4820 wrote to memory of 2148	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 4820 wrote to memory of 2148	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 4820 wrote to memory of 2148	4820	VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe	winlocker_builder V0.4.exe
PID 4472 wrote to memory of 2108	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2108	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2108	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1324	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1324	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1324	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1144	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1144	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1144	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1856	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1856	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 1856	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2004	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2004	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2004	4472	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 2884	4472	cmd.exe	reg.exe
PID 4472 wrote to memory of 2884	4472	cmd.exe	reg.exe
PID 4472 wrote to memory of 2884	4472	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f chrome.exe
3⤵
- Kills process with taskkill
PID:2108

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f ie.exe
3⤵
- Kills process with taskkill
PID:1324

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f firefox.exe
3⤵
- Kills process with taskkill
PID:1144

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f opera.exe
3⤵
- Kills process with taskkill
PID:1856

C:\Windows\SysWOW64\taskkill.exe
taskkill /im /f safari.exe
3⤵
- Kills process with taskkill
PID:2004

C:\Windows\SysWOW64\reg.exe
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
3⤵
- Modifies registry key
PID:2884

C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe
"C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build.bat
Filesize
2KB

MD5
a30dc826f8671456185b51426255788a

SHA1
bbd1505ca5479d159db89539beff034581feaa1c

SHA256
155a86cf988ef9304630b6845f14d8774e80126ec77ccb9f8fcdfadef46375d1

SHA512
3641df71589c645b4c3b4f1c5a0c9e6d978c667ea1c4862658102a461e59d2d22c1adb67d22027d34397829c4fca2d6e42be122f66e9fb5cae357a53cfe34ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe
Filesize
401KB

MD5
d81707fcd4e2b83c4a1371603ffd8fbc

SHA1
e10b7c05a89a57e753873a013745ff4cba11f347

SHA256
63f97cbd440b5f8d31a2d6bf7ca628624e0d24b6b96ae429fdb8a8b85ffce384

SHA512
035685c60bf5875eaafed99daf3d6041d995d295452a1253ed5ab7ad73d25ef6a247fd50ef2c2a278c2378bb45e840bce9897a43dba8b93ad40c8c5b83d235f8

Download Submit
memory/2148-13-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2148-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads