modiloader | 2a852296a5a9851655ab8b12ebbc8c2a265823a56fa6fc67d64eb865b06289ef

General

Target

lNV-2024-3626276279.cmd
Size

4.2MB
MD5

55517abac6d9789ddcde10ce5ba82872
SHA1

dba9aeaf67ee05ca8a38ba5ffdb75607b8a2288d
SHA256

ecb54d88590475659fa26d0e65d0743d19e42441fe6311e38dec28026fc95945
SHA512

b951dd6e870d77250af92f4f8920f57622fbd2e58c555abeb704993d51cd0b052cc7b2ec5f98c4d91011f76117bab6717aa25fa775adf899c32d2c5d26453207
SSDEEP

49152:H0HI7tGDjsb7rA3kn2IU9svyG1qrN3Gbiu8HHKMi4F2652/0cN6g/BdKgJ:5

Score

10^/10

modiloader persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-76-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral1/memory/1552-78-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Executes dropped EXE 11 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.execmd.pifcmd.pifflehounE.pif

pid process

2560 alpha.exe
2656 alpha.exe
2704 kn.exe
2600 alpha.exe
2456 kn.exe
2728 Audio.pif
2140 alpha.exe
2744 alpha.exe
2784 cmd.pif
1600 cmd.pif
1552 flehounE.pif
Loads dropped DLL 9 IoCs

Processes:

cmd.exealpha.exealpha.exeAudio.pif

pid process

2940 cmd.exe
2940 cmd.exe
2656 alpha.exe
2940 cmd.exe
2600 alpha.exe
2940 cmd.exe
2940 cmd.exe
2728 Audio.pif
2728 Audio.pif
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2560	alpha.exe
2656	alpha.exe
2704	kn.exe
2600	alpha.exe
2456	kn.exe
2728	Audio.pif
2140	alpha.exe
2744	alpha.exe
2784	cmd.pif
1600	cmd.pif
1552	flehounE.pif

pid	process
2940	cmd.exe
2940	cmd.exe
2656	alpha.exe
2940	cmd.exe
2600	alpha.exe
2940	cmd.exe
2940	cmd.exe
2728	Audio.pif
2728	Audio.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Audio.pifflehounE.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enuohelf = "C:\\Users\\Public\\Enuohelf.url"	Audio.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe"	flehounE.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
4 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Audio.pif

description pid process target process

PID 2728 set thread context of 1552 2728 Audio.pif flehounE.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	drive.google.com
4	drive.google.com

flow	ioc
9	ip-api.com

description	pid	process	target process
PID 2728 set thread context of 1552	2728	Audio.pif	flehounE.pif

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Audio.pif

pid process

2728 Audio.pif
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

flehounE.pif

pid process

1552 flehounE.pif
1552 flehounE.pif
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

flehounE.pif

description pid process

Token: SeDebugPrivilege 1552 flehounE.pif

pid	process
2728	Audio.pif

pid	process
1552	flehounE.pif
1552	flehounE.pif

description	pid	process
Token: SeDebugPrivilege	1552	flehounE.pif

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exeAudio.pif

description	pid	process	target process
PID 2940 wrote to memory of 2732	2940	cmd.exe	extrac32.exe
PID 2940 wrote to memory of 2732	2940	cmd.exe	extrac32.exe
PID 2940 wrote to memory of 2732	2940	cmd.exe	extrac32.exe
PID 2940 wrote to memory of 2560	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2560	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2560	2940	cmd.exe	alpha.exe
PID 2560 wrote to memory of 2592	2560	alpha.exe	extrac32.exe
PID 2560 wrote to memory of 2592	2560	alpha.exe	extrac32.exe
PID 2560 wrote to memory of 2592	2560	alpha.exe	extrac32.exe
PID 2940 wrote to memory of 2656	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2656	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2656	2940	cmd.exe	alpha.exe
PID 2656 wrote to memory of 2704	2656	alpha.exe	kn.exe
PID 2656 wrote to memory of 2704	2656	alpha.exe	kn.exe
PID 2656 wrote to memory of 2704	2656	alpha.exe	kn.exe
PID 2940 wrote to memory of 2600	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2600	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2600	2940	cmd.exe	alpha.exe
PID 2600 wrote to memory of 2456	2600	alpha.exe	kn.exe
PID 2600 wrote to memory of 2456	2600	alpha.exe	kn.exe
PID 2600 wrote to memory of 2456	2600	alpha.exe	kn.exe
PID 2940 wrote to memory of 2728	2940	cmd.exe	Audio.pif
PID 2940 wrote to memory of 2728	2940	cmd.exe	Audio.pif
PID 2940 wrote to memory of 2728	2940	cmd.exe	Audio.pif
PID 2940 wrote to memory of 2728	2940	cmd.exe	Audio.pif
PID 2940 wrote to memory of 2140	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2140	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2140	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2744	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2744	2940	cmd.exe	alpha.exe
PID 2940 wrote to memory of 2744	2940	cmd.exe	alpha.exe
PID 2728 wrote to memory of 2228	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2228	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2228	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2228	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 1996	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 1996	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 1996	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 1996	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2748	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2748	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2748	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 2748	2728	Audio.pif	cmd.exe
PID 2728 wrote to memory of 1436	2728	Audio.pif	extrac32.exe
PID 2728 wrote to memory of 1436	2728	Audio.pif	extrac32.exe
PID 2728 wrote to memory of 1436	2728	Audio.pif	extrac32.exe
PID 2728 wrote to memory of 1436	2728	Audio.pif	extrac32.exe
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif
PID 2728 wrote to memory of 1552	2728	Audio.pif	flehounE.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:2732

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2592

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9
3⤵
- Executes dropped EXE
PID:2704

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
3⤵
- Executes dropped EXE
PID:2456

C:\Users\Public\Libraries\Audio.pif
C:\Users\Public\Libraries\Audio.pif
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
3⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\\Windows \\System32\\cmd.pif"
3⤵
PID:2748

C:\Windows \System32\cmd.pif
"C:\\Windows \\System32\\cmd.pif"
4⤵
- Executes dropped EXE
PID:2784

C:\Windows \System32\cmd.pif
"C:\Windows \System32\cmd.pif"
4⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Enuohelf.PIF
3⤵
PID:1436

C:\Users\Public\Libraries\flehounE.pif
C:\Users\Public\Libraries\flehounE.pif
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2140

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Audio.mp4
Filesize
3.0MB

MD5
8d6a6f7f28472f54780ace4be5e35f7f

SHA1
93e285f23ef6cb95d3be6c5c4ce3eddcdd0e4201

SHA256
611fbe02cb707477addb2b98bbb193d77f981a4fc61be39b74543f3f43fc5cd1

SHA512
87497486cc166f3c6c43dd05b9bc08c7947c97be03ea2a8edf962c59f3027cdccc1b57d99a55a072e26d7b83e678f67cedad1f54beaa7d3a352556db4fa78744

Download Submit
C:\Users\Public\Libraries\Audio.pif
Filesize
1.5MB

MD5
3351922e54c2698b80f65bbe11894bb8

SHA1
6121c53dcb4f81a202e393281c53e95de2155219

SHA256
6ad37e5e8fc00d1bb6538d409e3930882ac8bc1e3efdda551ead49edfdba2c42

SHA512
d9ac69966e0ad0ff05fe137a08d0ba211c11dfe5303d032ff3fc337a5302cdab1bbfb9f7153567d8b11acff38c0c433d92dd48925f3bb7824cc572562014bfdc

Download Submit
C:\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
C:\Windows \System32\cmd.pif
Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\Libraries\flehounE.pif
Filesize
182KB

MD5
3776012e2ef5a5cae6935853e6ca79b2

SHA1
4fc81df94baaaa550473ac9d20763cfb786577ff

SHA256
8e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d

SHA512
38811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8

Download Submit
\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
memory/1552-125-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-117-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-78-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1552-80-0x00000000499C0000-0x0000000049A1C000-memory.dmp

Filesize
368KB

Download
memory/1552-81-0x000000004BE80000-0x000000004BEDA000-memory.dmp

Filesize
360KB

Download
memory/1552-91-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-141-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-139-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-137-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-135-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-133-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-131-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-129-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-127-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-82-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-121-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-119-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-76-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1552-115-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-113-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-111-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-109-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-107-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-105-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-103-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-101-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-99-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-97-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-95-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-93-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-89-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-87-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-85-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-123-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/1552-83-0x000000004BE80000-0x000000004BED4000-memory.dmp

Filesize
336KB

Download
memory/2728-32-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads