modiloader | ad9ba36b7ee36c5fc6694681cf4d065db5ef8472ae61ccfcfb3178cd4644bce7

General

Target

d21ca9679853a46a9e58cfd51b4e5e10N.exe
Size

483KB
MD5

d21ca9679853a46a9e58cfd51b4e5e10
SHA1

0243d2f6dc953ad30f119eb11c40dbac874e8f52
SHA256

ad9ba36b7ee36c5fc6694681cf4d065db5ef8472ae61ccfcfb3178cd4644bce7
SHA512

1116f378284a30214c52cfd98c49c0f48de85019bfd776c1baec989b7ff5a826d6968d37c73c12228e904038dfcef974b95e13e6d09c03bea20adaa8cb9aa3b1
SSDEEP

12288:meFzFaroS+KqHD7/0sZ365sttY49z6Bg:mOgwjj0G65sttY

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 14 IoCs

resource	yara_rule
behavioral1/memory/2776-33-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-48-0x0000000075400000-0x00000000754F0000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-49-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-51-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-56-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-60-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-64-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-68-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-72-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-76-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-80-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-84-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-88-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/2680-92-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015d75-21.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2776	DCS03921.scr
2680	mstwain32.exe

Loads dropped DLL 6 IoCs

pid	Process
2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe
2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe
2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe
2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe
2776	DCS03921.scr
2680	mstwain32.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-2.dat	upx
behavioral1/memory/2776-18-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2776-27-0x0000000002C90000-0x0000000002CE1000-memory.dmp	upx
behavioral1/memory/2776-33-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-48-0x0000000075400000-0x00000000754F0000-memory.dmp	upx
behavioral1/memory/2680-49-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-51-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-56-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-60-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-64-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-68-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-72-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-76-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-80-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-84-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-88-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2680-92-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DCS03921.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	DCS03921.scr
File opened for modification	C:\Windows\mstwain32.exe	DCS03921.scr
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d21ca9679853a46a9e58cfd51b4e5e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCS03921.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	DCS03921.scr
Token: SeDebugPrivilege	2680	mstwain32.exe
Token: SeDebugPrivilege	2680	mstwain32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2776	DCS03921.scr
2680	mstwain32.exe
2680	mstwain32.exe
2680	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2776	2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe	30
PID 2300 wrote to memory of 2776	2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe	30
PID 2300 wrote to memory of 2776	2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe	30
PID 2300 wrote to memory of 2776	2300	d21ca9679853a46a9e58cfd51b4e5e10N.exe	30
PID 2776 wrote to memory of 2680	2776	DCS03921.scr	31
PID 2776 wrote to memory of 2680	2776	DCS03921.scr	31
PID 2776 wrote to memory of 2680	2776	DCS03921.scr	31
PID 2776 wrote to memory of 2680	2776	DCS03921.scr	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\d21ca9679853a46a9e58cfd51b4e5e10N.exe
"C:\Users\Admin\AppData\Local\Temp\d21ca9679853a46a9e58cfd51b4e5e10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\Desktop\DCS03921.scr
  "C:\Users\Admin\Desktop\DCS03921.scr" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\okl648D.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\Desktop\DCS03921.scr

Filesize
285KB

MD5
47d42bdc283fe3d4ea0fe3b979619989

SHA1
f491073e86fcf1c13929460d7e8a4666e36d3622

SHA256
2f5377f28159875b34de74abb1fabf833e3c32642b73c291b222eee503f29390

SHA512
ad7f871745850e24dd76700b976f6a377e92aada533dc701e84f557c2c65adb4e63e9d0ef978082b5c8bed25c90c492cc7aabf842eb7dc45499f3d48c902fdbf

Download Submit
memory/2300-10-0x0000000002ED0000-0x0000000002F21000-memory.dmp

Filesize
324KB

Download
memory/2300-8-0x0000000002ED0000-0x0000000002F21000-memory.dmp

Filesize
324KB

Download
memory/2300-17-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2680-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-53-0x0000000001BD0000-0x0000000001BD8000-memory.dmp

Filesize
32KB

Download
memory/2680-92-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-89-0x0000000001CF0000-0x0000000001D63000-memory.dmp

Filesize
460KB

Download
memory/2680-88-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-40-0x0000000001CF0000-0x0000000001D63000-memory.dmp

Filesize
460KB

Download
memory/2680-44-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/2680-45-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/2680-47-0x0000000075410000-0x0000000075411000-memory.dmp

Filesize
4KB

Download
memory/2680-48-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/2680-49-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-50-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/2680-51-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-84-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-55-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/2680-54-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/2680-52-0x0000000001CF0000-0x0000000001D63000-memory.dmp

Filesize
460KB

Download
memory/2680-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-72-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-76-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2776-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2776-23-0x0000000001E00000-0x0000000001E73000-memory.dmp

Filesize
460KB

Download
memory/2776-34-0x0000000001E00000-0x0000000001E73000-memory.dmp

Filesize
460KB

Download
memory/2776-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2776-27-0x0000000002C90000-0x0000000002CE1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads