modiloader | 4a7f380de68e6969bcedffe6c7d5b01ac9ecd1f4df9f2bb79fb7fec94252e095

Analysis

max time kernel
91s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48234a387e7777a7a284acb8f0bfef52.exe
Size

637KB
MD5

48234a387e7777a7a284acb8f0bfef52
SHA1

b34a895fe511e36af09231c1239577a565e380e6
SHA256

4a7f380de68e6969bcedffe6c7d5b01ac9ecd1f4df9f2bb79fb7fec94252e095
SHA512

e3f7fefb4ba37baeea23603a9a4c48197efb54495741d613f8eddc58074f8cbe20658406c949fff510730eed8dc000cd61550b7b69e2c668cc43f6b2cb60e546

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1976 created 2764 1976 WerFault.exe ieinstal.exe

description	pid	process	target process
PID 1976 created 2764	1976	WerFault.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

48234a387e7777a7a284acb8f0bfef52.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hgyoib = "C:\\Users\\Public\\Libraries\\bioygH.url"	48234a387e7777a7a284acb8f0bfef52.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 2764 WerFault.exe ieinstal.exe

pid	pid_target	process	target process
1976	2764	WerFault.exe	ieinstal.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

48234a387e7777a7a284acb8f0bfef52.exe

description	pid	process	target process
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe
PID 3920 wrote to memory of 2764	3920	48234a387e7777a7a284acb8f0bfef52.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe
"C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 84
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2764-119-0x0000000000000000-mapping.dmp

Download
memory/3920-114-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3920-116-0x0000000002880000-0x000000000289A000-memory.dmp

Filesize
104KB

Download