modiloader | fe74b4fc0b1b74f9b4659ac28f601990ee4b1e6b6e6cbb52e03e9300c1571ad8

General

Target

57c6b0ef0c613e7b89e75ba925cebe80N.exe
Size

116KB
MD5

57c6b0ef0c613e7b89e75ba925cebe80
SHA1

2cc1808526af22ac1dd8a885735ad8a5e233d5c5
SHA256

fe74b4fc0b1b74f9b4659ac28f601990ee4b1e6b6e6cbb52e03e9300c1571ad8
SHA512

b4475ff5f368a83c591963f009164c81959acccfca82f9eefd6a8ae2eac47bfd8ca690b374fb63bdd7459c297cab1bafe902ef1b303e358bad4930bb63e0526e
SSDEEP

1536:JOH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5PxV1:JCKQJcinxphkG5Q6GdpIOkJHhKRf1

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-46-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-54-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-57-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-60-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-59-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3888-62-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57c6b0ef0c613e7b89e75ba925cebe80N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	57c6b0ef0c613e7b89e75ba925cebe80N.exe

Executes dropped EXE 3 IoCs

Processes:

Flaseher.exeFlaseher.exeFlaseher.exe

pid process

4524 Flaseher.exe
2420 Flaseher.exe
3888 Flaseher.exe

pid	process
4524	Flaseher.exe
2420	Flaseher.exe
3888	Flaseher.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/208-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/208-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/208-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/208-55-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2420-56-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/208-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2420-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

57c6b0ef0c613e7b89e75ba925cebe80N.exeFlaseher.exe

description	pid	process	target process
PID 3488 set thread context of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 4524 set thread context of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 set thread context of 3888	4524	Flaseher.exe	Flaseher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeFlaseher.exeFlaseher.exeFlaseher.exe57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flaseher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flaseher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flaseher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57c6b0ef0c613e7b89e75ba925cebe80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57c6b0ef0c613e7b89e75ba925cebe80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Flaseher.exe

description	pid	process
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe
Token: SeDebugPrivilege	2420	Flaseher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.exeFlaseher.exeFlaseher.exe

pid process

3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe
208 57c6b0ef0c613e7b89e75ba925cebe80N.exe
4524 Flaseher.exe
2420 Flaseher.exe

pid	process
3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe
208	57c6b0ef0c613e7b89e75ba925cebe80N.exe
4524	Flaseher.exe
2420	Flaseher.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.execmd.exeFlaseher.exe

description	pid	process	target process
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 3488 wrote to memory of 208	3488	57c6b0ef0c613e7b89e75ba925cebe80N.exe	57c6b0ef0c613e7b89e75ba925cebe80N.exe
PID 208 wrote to memory of 4492	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	cmd.exe
PID 208 wrote to memory of 4492	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	cmd.exe
PID 208 wrote to memory of 4492	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	cmd.exe
PID 4492 wrote to memory of 896	4492	cmd.exe	reg.exe
PID 4492 wrote to memory of 896	4492	cmd.exe	reg.exe
PID 4492 wrote to memory of 896	4492	cmd.exe	reg.exe
PID 208 wrote to memory of 4524	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	Flaseher.exe
PID 208 wrote to memory of 4524	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	Flaseher.exe
PID 208 wrote to memory of 4524	208	57c6b0ef0c613e7b89e75ba925cebe80N.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 2420	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe
PID 4524 wrote to memory of 3888	4524	Flaseher.exe	Flaseher.exe

C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe
"C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe
"C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PTFGD.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:896

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PTFGD.txt

Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe

Filesize
116KB

MD5
0c34429daebe35e160eab45d81970d25

SHA1
8f12d742be4aca0abdc865400f066bfadcd253a0

SHA256
1bce0dfb020c9bed0a2216e124f0c4070e1e70ebbce5bef347cd4eaaab0c6b0d

SHA512
6f1b33b21d6499fbad332640d9ac9a0d045ceb94b74143bf957ec3f78a4be13c2242c28fee500902231b501bf8f350003968e63d797fdc2e64ee88dc946fd16d

Download Submit
memory/208-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/208-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/208-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/208-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/208-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2420-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2420-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3488-2-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3488-6-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3488-5-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3488-7-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3488-3-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3488-4-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3888-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3888-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3888-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3888-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3888-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3888-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4524-51-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4524-45-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4524-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4524-38-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads