modiloader | 2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-en-20211208
submitted
10/12/2021, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f559c7ea254285bab84e60d2a5e8037.exe
Size

922KB
MD5

0f559c7ea254285bab84e60d2a5e8037
SHA1

388cfbde34fcc37f5f334ef39d29b5f3e655fed0
SHA256

2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672
SHA512

9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1528-55-0x00000000003E1000-0x00000000003F5000-memory.dmp	modiloader_stage1
behavioral1/memory/1144-68-0x0000000000571000-0x0000000000585000-memory.dmp	modiloader_stage1
behavioral1/memory/1604-88-0x00000000004F1000-0x0000000000505000-memory.dmp	modiloader_stage1

Executes dropped EXE 4 IoCs

pid	Process
1144	fodhelper.exe
1956	fodhelper.exe
1604	fodhelper.exe
964	fodhelper.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1144 set thread context of 1956	1144	fodhelper.exe	34
PID 1604 set thread context of 964	1604	fodhelper.exe	40

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1628	schtasks.exe
1612	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0f559c7ea254285bab84e60d2a5e8037.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0f559c7ea254285bab84e60d2a5e8037.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0f559c7ea254285bab84e60d2a5e8037.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0f559c7ea254285bab84e60d2a5e8037.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 1528 wrote to memory of 428	1528	0f559c7ea254285bab84e60d2a5e8037.exe	29
PID 428 wrote to memory of 1628	428	0f559c7ea254285bab84e60d2a5e8037.exe	30
PID 428 wrote to memory of 1628	428	0f559c7ea254285bab84e60d2a5e8037.exe	30
PID 428 wrote to memory of 1628	428	0f559c7ea254285bab84e60d2a5e8037.exe	30
PID 428 wrote to memory of 1628	428	0f559c7ea254285bab84e60d2a5e8037.exe	30
PID 1952 wrote to memory of 1144	1952	taskeng.exe	33
PID 1952 wrote to memory of 1144	1952	taskeng.exe	33
PID 1952 wrote to memory of 1144	1952	taskeng.exe	33
PID 1952 wrote to memory of 1144	1952	taskeng.exe	33
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1144 wrote to memory of 1956	1144	fodhelper.exe	34
PID 1956 wrote to memory of 1612	1956	fodhelper.exe	35
PID 1956 wrote to memory of 1612	1956	fodhelper.exe	35
PID 1956 wrote to memory of 1612	1956	fodhelper.exe	35
PID 1956 wrote to memory of 1612	1956	fodhelper.exe	35
PID 1952 wrote to memory of 1604	1952	taskeng.exe	39
PID 1952 wrote to memory of 1604	1952	taskeng.exe	39
PID 1952 wrote to memory of 1604	1952	taskeng.exe	39
PID 1952 wrote to memory of 1604	1952	taskeng.exe	39
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40
PID 1604 wrote to memory of 964	1604	fodhelper.exe	40

C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
"C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {8BD94ECD-7AA2-4D4D-82B6-621CF6439D44} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
      4⤵
      Creates scheduled task(s)
      PID:1612
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
    3⤵
    - Executes dropped EXE
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-63-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/428-62-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/428-58-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/428-57-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1144-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1144-68-0x0000000000571000-0x0000000000585000-memory.dmp

Filesize
80KB

Download
memory/1528-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1528-55-0x00000000003E1000-0x00000000003F5000-memory.dmp

Filesize
80KB

Download
memory/1528-56-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1604-89-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1604-88-0x00000000004F1000-0x0000000000505000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads