modiloader | 9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
Size

270KB
MD5

92224916dece7e83fe34e50756dc866b
SHA1

ce1221fd9fd4f2373d1b2a69bcff3480da35ad23
SHA256

9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef
SHA512

f7beb58ae58662eba921e3f0c82b225417f3ab2970ae58050630fd336fddc64b68350dc33ca99405157fa50711f08155dac590e1fe6cdf39b6a81fe3898424be
SSDEEP

6144:apFZywoS9KT/qXAtzF5jaaFqgDfZstH1Sb:8ZdPKXjaaFqist4b

Score

10^/10

modiloader njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2384-15-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4800	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Wifi Password Hack 2014.exe

Executes dropped EXE 4 IoCs

pid	Process
552	Server.exe
4696	Wifi Password Hack 2014.exe
4184	Wifi.exe
1412	Wifi Password Hack 2014.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e4e59d01ea7e23f9eec413d2bd64504 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3e4e59d01ea7e23f9eec413d2bd64504 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wifi Password Hack 2014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wifi Password Hack 2014.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeBackupPrivilege	936	dw20.exe
Token: SeBackupPrivilege	936	dw20.exe
Token: SeDebugPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe
Token: 33	552	Server.exe
Token: SeIncBasePriorityPrivilege	552	Server.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 552	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	82
PID 2384 wrote to memory of 552	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	82
PID 2384 wrote to memory of 552	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	82
PID 2384 wrote to memory of 4696	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	83
PID 2384 wrote to memory of 4696	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	83
PID 2384 wrote to memory of 4696	2384	9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe	83
PID 4696 wrote to memory of 4184	4696	Wifi Password Hack 2014.exe	84
PID 4696 wrote to memory of 4184	4696	Wifi Password Hack 2014.exe	84
PID 4184 wrote to memory of 936	4184	Wifi.exe	85
PID 4184 wrote to memory of 936	4184	Wifi.exe	85
PID 4696 wrote to memory of 1412	4696	Wifi Password Hack 2014.exe	87
PID 4696 wrote to memory of 1412	4696	Wifi Password Hack 2014.exe	87
PID 4696 wrote to memory of 1412	4696	Wifi Password Hack 2014.exe	87
PID 552 wrote to memory of 4800	552	Server.exe	92
PID 552 wrote to memory of 4800	552	Server.exe	92
PID 552 wrote to memory of 4800	552	Server.exe	92

C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
"C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4800
- C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe
  "C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Extracted\Wifi.exe
    "C:\Extracted\Wifi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 824
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:936
- - C:\Extracted\Wifi Password Hack 2014.exe
    "C:\Extracted\Wifi Password Hack 2014.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Wifi Password Hack 2014.exe

Filesize
95KB

MD5
ceb33e90bc90c8b6dad6e20d0756405d

SHA1
d1bb29aa192f49e87824490f5afdbf1e2dffbe34

SHA256
590213081e69fb24eceabb4947b939b9451f2ee87ae7c3a6441e970e3eff3979

SHA512
9c04ed1e0bce4faf79627bafffa9c8c87ad20d0845903c52f51fad927e7237e88b468afe3c43fc64fc7f39e29484ed5bdabd5523641f2d62386ba99c868298ae

Download Submit
C:\Extracted\Wifi.exe

Filesize
69KB

MD5
d890349dbb670a7fcd7e293f5e55b6a5

SHA1
288ae6a90efad5da83dfa4fd3ce0d3981e267a96

SHA256
fd25a7082c8623f4b2397ae4d090d1bd441fee5331b064ff002af3ec13bd77fa

SHA512
b68c3a89482180f1bcc6b21f66e850e90ced6308d5e5618e33a09ff818686fc4c61706d28edefa44742dedc75630a3bee7bd7075828dae72916b82e29bd976aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
23KB

MD5
2361cd0f4e2639717d64832700337e5b

SHA1
990a35cc7012d4b6c3eb7bb7c167e113349ab6bd

SHA256
43357bcafd427aaf96fdf3495bf38ba402090b7ac9b46ba13520381f5027d1ad

SHA512
9d55edcc78e7547aea6f15b9439b6140adac6df2b1f3f0e45333a2337a9dffc9522525b1df27e25cfd56f451d3dcd8f44f5cd84a743fefc046467e170dbf2971

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe

Filesize
217KB

MD5
27a51cbe1f0290b27b5e936356446b58

SHA1
cfc304447b7f07774ede994ccecc9db69a95b978

SHA256
8128299e7b54c80d097ea7ee65a47d78bc45a5ff99f98fe59195d58fd94dceed

SHA512
1ded2a9b56565547b0280c8ef04db474e50adf3b030bbf12df88514781fb146afc38d0e87c66756bd654c5741c4f49ddacd041828a73213abcbf938edfb64112

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
226B

MD5
6a313f19181d97d006898ad025d4ef6a

SHA1
c090484def4c90eee1d0c974c38940c4f669d771

SHA256
2cfc6311c0e60140a2b804b3bf5ebe2f6eac7e56c3c7c9cab97eba1e361178a6

SHA512
2ed531365117e9e263ace01e8be9780bd9644e3fded528e8508172d08ead753152aff690592afc8143031a62d21537382735c9a1bce795a201873b82eda02021

Download Submit
memory/552-75-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/552-33-0x0000000073AA2000-0x0000000073AA3000-memory.dmp

Filesize
4KB

Download
memory/552-37-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/552-44-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/552-74-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/552-73-0x0000000073AA2000-0x0000000073AA3000-memory.dmp

Filesize
4KB

Download
memory/1412-70-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/1412-67-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

Filesize
128KB

Download
memory/1412-68-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/1412-69-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/1412-71-0x0000000005A40000-0x0000000005A4A000-memory.dmp

Filesize
40KB

Download
memory/1412-72-0x0000000005CB0000-0x0000000005D06000-memory.dmp

Filesize
344KB

Download
memory/2384-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4184-50-0x000000001BE20000-0x000000001C2EE000-memory.dmp

Filesize
4.8MB

Download
memory/4184-49-0x000000001B810000-0x000000001B946000-memory.dmp

Filesize
1.2MB

Download
memory/4184-48-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads