modiloader | b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4f

General

Target

b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
Size

376KB
MD5

f6c65d3d7783d6c6b21383e4ee50f6d0
SHA1

28f16d6c44991249b52af17e134649bfd1911ad6
SHA256

b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4f
SHA512

f9b5d9b1de92039f6c06994a7ac4dfaede3abf51e085fad07f52ae227910eab21e0e1c984812800debc90dccbd08698bb7c845c434a36a4766511173cc9bfa68
SSDEEP

6144:c9ctxJKFzDz8KFykipAjWnt7Q4VonPGgmFrrDciW1oreICFpz7K/obXko4:c6XKxYKBipBgBmFrrDcixeIkp6/GXko4

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4812-7-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	update1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	update1.exe

Executes dropped EXE 4 IoCs

pid	Process
4256	update2.exe
2140	update1.exe
2996	update2.exe
1144	auditpol.exe

Loads dropped DLL 1 IoCs

pid	Process
1144	auditpol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\auditpol = "C:\\Users\\Admin\\AppData\\Local\\auditpol.exe"	update1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auditpol = "C:\\Users\\Admin\\AppData\\Local\\auditpol.exe"	update1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4256 set thread context of 2996	4256	update2.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auditpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	update1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4256	update2.exe
1144	auditpol.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 4812 wrote to memory of 976	4812	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	85
PID 976 wrote to memory of 4256	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	86
PID 976 wrote to memory of 4256	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	86
PID 976 wrote to memory of 4256	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	86
PID 976 wrote to memory of 2140	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	89
PID 976 wrote to memory of 2140	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	89
PID 976 wrote to memory of 2140	976	b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe	89
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 4256 wrote to memory of 2996	4256	update2.exe	90
PID 2140 wrote to memory of 1144	2140	update1.exe	92
PID 2140 wrote to memory of 1144	2140	update1.exe	92
PID 2140 wrote to memory of 1144	2140	update1.exe	92

C:\Users\Admin\AppData\Local\Temp\b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
"C:\Users\Admin\AppData\Local\Temp\b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
  b01a47c8562851b30cca233f6124d279c20b4c93ef99a64eaa9b1824ae5ccc4fN.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\update2.exe
    "C:\Users\Admin\AppData\Local\Temp\update2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\update2.exe
      C:\Users\Admin\AppData\Local\Temp\update2.exe
      4⤵
      Executes dropped EXE
      PID:2996
- - C:\Users\Admin\AppData\Local\Temp\update1.exe
    "C:\Users\Admin\AppData\Local\Temp\update1.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\auditpol.exe
      "C:\Users\Admin\AppData\Local\auditpol.exe" C:\Users\Admin\AppData\Local\Temp\update1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1144

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- System Location Discovery: System Language Discovery
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9BB3.tmp

Filesize
64KB

MD5
9f036c83663c4a3e5f5382adf6f32bcc

SHA1
842870e3dfb3ee76e927d93c517f9753c872d751

SHA256
4eeef6ad75578f995af8f662d5a33581fafb19de9b5dd1fb7d9294fa80172874

SHA512
097b79b332810ff212fe59c60f2480c99538f8b0309c35c2955d9e5c677047569edadc8669cbf82ca21667ec71449f3e34542c8d24b065845efe228eaaae13c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB4.tmp

Filesize
24KB

MD5
91029d37cf86ecc5d58605676eab6643

SHA1
e6b6bcd7bb30b8c8bb05489a89238eb4793c38fe

SHA256
d4bda0161466452d3f75d14472720d95d168ac09e2d63fedef45538576f98e0b

SHA512
377b33a534f955e48299f2532216482ee14ae17a4e52a44b2a40b98c4b274505e60fb1c07c61f4e84644644fd4757f8dcefc12359712fe53ad9e4122bd12961e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB6.tmp

Filesize
884B

MD5
3f0493d494f1ca681c73976f4f97c262

SHA1
51766ebd206c8a62b3e1604fd64ac7be896fe909

SHA256
aa4f8c0fff53953056dff9c26af2c2bb97245c32d523982981d307270f48a308

SHA512
ea7a4717238285dbce3336d30410d8647ebfa37d858f92c555f8d0ce2722516ad435d2f8bad2359699fbfe84094b1464795f8657bf7d570aea761abef5027b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update1.exe

Filesize
144KB

MD5
de8b2505379dc0690000155dc1d4b849

SHA1
a9a703a20b6536d3d80f5e657b26c409e00c4162

SHA256
f3e0cb8e1603b70209208e67961d9c5cc0b07e31e1cfebcffb2603218ab7dd50

SHA512
9d1ec27407edc66867083bb27d3f6fa37040948ebdf19a9ab55dc280d33c5525294a92ccde24dbb0985e67aba058080a169a52531a081a6d0cb46cf41e5ff2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update2.exe

Filesize
159KB

MD5
70f92610b1bd700ff472997dfecb689c

SHA1
ddac19bc8d97f9ac1d1c754b7193eac5f4b249f7

SHA256
bd30f98ffb8d8cfb4868253e51d5a5927aeb53ac4d9e431a4ba8fc3517a76423

SHA512
564003358a8fdb727838f5962af9c25cca1b5e7b8021e7e74babf14fc12d989414ff77f81918784fdf684cb8c19b82ffcacee3a0fa1e85001fc1ee6b614124bb

Download Submit
memory/976-32-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/976-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/976-5-0x0000000000400000-0x000000000044E0A1-memory.dmp

Filesize
312KB

Download
memory/976-31-0x0000000000400000-0x000000000044E0A1-memory.dmp

Filesize
312KB

Download
memory/976-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/976-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/976-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1144-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1144-69-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/1144-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1144-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2140-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-45-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2996-46-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2996-43-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2996-40-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4256-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4256-21-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4256-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4812-7-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads