modiloader | 9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef

General

Target

9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
Size

270KB
MD5

92224916dece7e83fe34e50756dc866b
SHA1

ce1221fd9fd4f2373d1b2a69bcff3480da35ad23
SHA256

9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef
SHA512

f7beb58ae58662eba921e3f0c82b225417f3ab2970ae58050630fd336fddc64b68350dc33ca99405157fa50711f08155dac590e1fe6cdf39b6a81fe3898424be
SSDEEP

6144:apFZywoS9KT/qXAtzF5jaaFqgDfZstH1Sb:8ZdPKXjaaFqist4b

Score

10^/10

modiloader njrat اختراق الواي فاي discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

اختراق الواي فاي

C2

hamza102.no-ip.biz:6543

Mutex

3e4e59d01ea7e23f9eec413d2bd64504

Attributes

reg_key
3e4e59d01ea7e23f9eec413d2bd64504
splitter
|'|'|

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2260-16-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2584	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2388	Server.exe
2116	Wifi Password Hack 2014.exe
2972	Wifi.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
2116	Wifi Password Hack 2014.exe
2116	Wifi Password Hack 2014.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e4e59d01ea7e23f9eec413d2bd64504 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3e4e59d01ea7e23f9eec413d2bd64504 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wifi Password Hack 2014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe
Token: 33	2388	Server.exe
Token: SeIncBasePriorityPrivilege	2388	Server.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2388	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	29
PID 2260 wrote to memory of 2388	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	29
PID 2260 wrote to memory of 2388	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	29
PID 2260 wrote to memory of 2388	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	29
PID 2260 wrote to memory of 2116	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	30
PID 2260 wrote to memory of 2116	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	30
PID 2260 wrote to memory of 2116	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	30
PID 2260 wrote to memory of 2116	2260	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	30
PID 2116 wrote to memory of 2972	2116	Wifi Password Hack 2014.exe	31
PID 2116 wrote to memory of 2972	2116	Wifi Password Hack 2014.exe	31
PID 2116 wrote to memory of 2972	2116	Wifi Password Hack 2014.exe	31
PID 2116 wrote to memory of 2972	2116	Wifi Password Hack 2014.exe	31
PID 2972 wrote to memory of 2744	2972	Wifi.exe	32
PID 2972 wrote to memory of 2744	2972	Wifi.exe	32
PID 2972 wrote to memory of 2744	2972	Wifi.exe	32
PID 2388 wrote to memory of 2584	2388	Server.exe	33
PID 2388 wrote to memory of 2584	2388	Server.exe	33
PID 2388 wrote to memory of 2584	2388	Server.exe	33
PID 2388 wrote to memory of 2584	2388	Server.exe	33

C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
"C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe
  "C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Extracted\Wifi.exe
    "C:\Extracted\Wifi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 384
      4⤵
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
226B

MD5
6a313f19181d97d006898ad025d4ef6a

SHA1
c090484def4c90eee1d0c974c38940c4f669d771

SHA256
2cfc6311c0e60140a2b804b3bf5ebe2f6eac7e56c3c7c9cab97eba1e361178a6

SHA512
2ed531365117e9e263ace01e8be9780bd9644e3fded528e8508172d08ead753152aff690592afc8143031a62d21537382735c9a1bce795a201873b82eda02021

Download Submit
\Extracted\Wifi.exe

Filesize
69KB

MD5
d890349dbb670a7fcd7e293f5e55b6a5

SHA1
288ae6a90efad5da83dfa4fd3ce0d3981e267a96

SHA256
fd25a7082c8623f4b2397ae4d090d1bd441fee5331b064ff002af3ec13bd77fa

SHA512
b68c3a89482180f1bcc6b21f66e850e90ced6308d5e5618e33a09ff818686fc4c61706d28edefa44742dedc75630a3bee7bd7075828dae72916b82e29bd976aa

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
23KB

MD5
2361cd0f4e2639717d64832700337e5b

SHA1
990a35cc7012d4b6c3eb7bb7c167e113349ab6bd

SHA256
43357bcafd427aaf96fdf3495bf38ba402090b7ac9b46ba13520381f5027d1ad

SHA512
9d55edcc78e7547aea6f15b9439b6140adac6df2b1f3f0e45333a2337a9dffc9522525b1df27e25cfd56f451d3dcd8f44f5cd84a743fefc046467e170dbf2971

Download Submit
\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe

Filesize
217KB

MD5
27a51cbe1f0290b27b5e936356446b58

SHA1
cfc304447b7f07774ede994ccecc9db69a95b978

SHA256
8128299e7b54c80d097ea7ee65a47d78bc45a5ff99f98fe59195d58fd94dceed

SHA512
1ded2a9b56565547b0280c8ef04db474e50adf3b030bbf12df88514781fb146afc38d0e87c66756bd654c5741c4f49ddacd041828a73213abcbf938edfb64112

Download Submit
memory/2260-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2388-10-0x0000000074671000-0x0000000074672000-memory.dmp

Filesize
4KB

Download
memory/2388-45-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-46-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-47-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-48-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads