modiloader | 2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

Analysis

max time kernel
125s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
10-12-2021 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f559c7ea254285bab84e60d2a5e8037.exe
Size

922KB
MD5

0f559c7ea254285bab84e60d2a5e8037
SHA1

388cfbde34fcc37f5f334ef39d29b5f3e655fed0
SHA256

2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672
SHA512

9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4080-124-0x00000000021A1000-0x00000000021B5000-memory.dmp	modiloader_stage1
behavioral2/memory/1956-139-0x0000000002A91000-0x0000000002AA5000-memory.dmp	modiloader_stage1

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1956-144-0x0000000003A61000-0x0000000003A78000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

fodhelper.exefodhelper.exefodhelper.exefodhelper.exe

pid process

4080 fodhelper.exe
636 fodhelper.exe
1956 fodhelper.exe
1240 fodhelper.exe

pid	process
4080	fodhelper.exe
636	fodhelper.exe
1956	fodhelper.exe
1240	fodhelper.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

0f559c7ea254285bab84e60d2a5e8037.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 3616 set thread context of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 4080 set thread context of 636	4080	fodhelper.exe	fodhelper.exe
PID 1956 set thread context of 1240	1956	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

896 schtasks.exe
3664 schtasks.exe

pid	process
896	schtasks.exe
3664	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0f559c7ea254285bab84e60d2a5e8037.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0f559c7ea254285bab84e60d2a5e8037.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0f559c7ea254285bab84e60d2a5e8037.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0f559c7ea254285bab84e60d2a5e8037.exe0f559c7ea254285bab84e60d2a5e8037.exefodhelper.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 3616 wrote to memory of 3564	3616	0f559c7ea254285bab84e60d2a5e8037.exe	0f559c7ea254285bab84e60d2a5e8037.exe
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	schtasks.exe
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	schtasks.exe
PID 3564 wrote to memory of 896	3564	0f559c7ea254285bab84e60d2a5e8037.exe	schtasks.exe
PID 4080 wrote to memory of 636	4080	fodhelper.exe	fodhelper.exe
PID 4080 wrote to memory of 636	4080	fodhelper.exe	fodhelper.exe
PID 4080 wrote to memory of 636	4080	fodhelper.exe	fodhelper.exe
PID 4080 wrote to memory of 636	4080	fodhelper.exe	fodhelper.exe
PID 4080 wrote to memory of 636	4080	fodhelper.exe	fodhelper.exe
PID 636 wrote to memory of 3664	636	fodhelper.exe	schtasks.exe
PID 636 wrote to memory of 3664	636	fodhelper.exe	schtasks.exe
PID 636 wrote to memory of 3664	636	fodhelper.exe	schtasks.exe
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	fodhelper.exe
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	fodhelper.exe
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	fodhelper.exe
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	fodhelper.exe
PID 1956 wrote to memory of 1240	1956	fodhelper.exe	fodhelper.exe

C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
"C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  C:\Users\Admin\AppData\Local\Temp\0f559c7ea254285bab84e60d2a5e8037.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:896

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3664

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
7f997e364440385cf76045b4b6258bc2

SHA1
133867043c8bfc9809a9394f072f8599c2831720

SHA256
f30e2708743a73666cca5ec8bef719bfed63a994112e8675d6a84f5d3c47b8f3

SHA512
d1c913297a566c475c6cc20cd2e1d340c90afc789b46794fd38715dabb96bdd3584efdb97e6273f547083e066859f1683d50136dd916f7abd3c7e5f6448150ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_E0700C7313F9B9A61F642FCBB2500663

MD5
1097d8b950738c3ca1d53645565ab093

SHA1
986fcdfad1be23e0e7c160d5513c8a957f28e045

SHA256
ad7e8f7ff625381a69fd508d5072fa075467a00d2dbcae9c7e11e6a00b80baa0

SHA512
e09ce31a218807433866c83d4d68f07ab869938ae7d465db6635e449c1be8198c7fccd9692dcca000d072c226b32c42c592a94077dd5dbcfd7227db10f000c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
61e098653a5cd0c15c9b77da2ebbddf2

SHA1
6f15f1f9238a082c5290d9e524c9508e25cfe2e9

SHA256
523b0d5fba1bd75a12a05644bb7c2e0fe1cf9ddf33f4ab2e13678b449d437ad0

SHA512
1b47fb4e0455a27ffb2610b1d14b9c891105c94cd8a8535f571fce0698fdd4e721d23a0230a9ef0b6838b641ffae7aa1e67f92ec5f4fc7abad4a509e389b74c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
736723bb58c5f9cf50a8a39fa648d8f5

SHA1
942770d491ca41f703efa800e4688d42d2435f57

SHA256
7d4b0e8bb20cdb9da9a91b9f74681bf834605ed34688d30e2d41c6cb38e4ec3a

SHA512
2316ab138d8011b5ca201fedb0a0aec8d3ca434f940f26908e2c5e51a96e22e32ad0419591b6f4e2d12cb633dad5c5498f968bddee165e7d11ad880d1bc30274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_E0700C7313F9B9A61F642FCBB2500663

MD5
dc73be95a61776082e34077b2a2557f9

SHA1
10ee4fddf9eeb3bbd4fc295cd4611e47c6d142e8

SHA256
b0bde6335d6a98b60479addd70cc8450e89111997b3b54a01ff3e24a148c4625

SHA512
64fd005fa72731c7ef8f41599b60db3e14c57e3a4a7698cfa14d01d494e8bf0c937412fb1c720a9de7760f76c53ecbbf3c3065d54b26c80fe6c1f798ee7831e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
e97b21ff097908d0fd8ac0645d3f263c

SHA1
7f2d7ab114eb88b07c4c05332cefa4d50ffdacfe

SHA256
1973e9f88948cf884c37ff4ac2e5c2992e11dbdd690c434e2142bfea6b57d80e

SHA512
88e9aa425cf81b39a1435334932b6028ac9ae914bc81139942972c030995acb3061bc852cda8c8514dcbbd02b40634aa173fff17af803452fe4c7da97a1e6d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\Cdlfyqnjpnryjffmuvkpoubkyuajrzq[1].htm

MD5
1f1d28875f2782638dd9ee072ebecb7e

SHA1
2dc58874eb002d0a9ec5ecded19d1e1523577421

SHA256
849add4aa76d040ca6fc9fb886c61101a11f8ca472029921b6dd4829890b448b

SHA512
0a17e30a8875875287bb1f1789084b0e38a500a10e354f3eae707a9aac5fc840bd5dc58e73315d48e75f93cb00bd8f781f88b8c86b7b936524f08881cfeef46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\Cdlfyqnjpnryjffmuvkpoubkyuajrzq[1].htm

MD5
1f1d28875f2782638dd9ee072ebecb7e

SHA1
2dc58874eb002d0a9ec5ecded19d1e1523577421

SHA256
849add4aa76d040ca6fc9fb886c61101a11f8ca472029921b6dd4829890b448b

SHA512
0a17e30a8875875287bb1f1789084b0e38a500a10e354f3eae707a9aac5fc840bd5dc58e73315d48e75f93cb00bd8f781f88b8c86b7b936524f08881cfeef46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLCVK3O5\Cdlfyqnjpnryjffmuvkpoubkyuajrzq[1].bmp

MD5
97b17a754ea11f763c0a8e7b77bee4f5

SHA1
c219ddd3dd96c70b129628de74f9bd7bccfa7033

SHA256
9b03641e0476593d970073c3b3e84510c5c2a4ea85a7909dee78aa8eecb65f9e

SHA512
cc418eb70a70a90d34ec5cd4d3aced98931cb2392bb3c950e86b5941a6381d88a8d9980d4ef83f53132dc691f48a57038b0d9e2e774fe312d2b3aaf78c7daf99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WAC9CGRV\Cdlfyqnjpnryjffmuvkpoubkyuajrzq[1].bmp

MD5
97b17a754ea11f763c0a8e7b77bee4f5

SHA1
c219ddd3dd96c70b129628de74f9bd7bccfa7033

SHA256
9b03641e0476593d970073c3b3e84510c5c2a4ea85a7909dee78aa8eecb65f9e

SHA512
cc418eb70a70a90d34ec5cd4d3aced98931cb2392bb3c950e86b5941a6381d88a8d9980d4ef83f53132dc691f48a57038b0d9e2e774fe312d2b3aaf78c7daf99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
0f559c7ea254285bab84e60d2a5e8037

SHA1
388cfbde34fcc37f5f334ef39d29b5f3e655fed0

SHA256
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

SHA512
9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
0f559c7ea254285bab84e60d2a5e8037

SHA1
388cfbde34fcc37f5f334ef39d29b5f3e655fed0

SHA256
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

SHA512
9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
0f559c7ea254285bab84e60d2a5e8037

SHA1
388cfbde34fcc37f5f334ef39d29b5f3e655fed0

SHA256
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

SHA512
9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
0f559c7ea254285bab84e60d2a5e8037

SHA1
388cfbde34fcc37f5f334ef39d29b5f3e655fed0

SHA256
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

SHA512
9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
0f559c7ea254285bab84e60d2a5e8037

SHA1
388cfbde34fcc37f5f334ef39d29b5f3e655fed0

SHA256
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672

SHA512
9184568937a92cd99d4dc2981dae9bdad139781a1bce87c553b9dad6052654531f2f9ebfc72977e00d2bd4b24a11671317e5cd778150c5a915ec87b739b77ef0

Download Submit
memory/636-135-0x00000000005115AA-mapping.dmp

Download
memory/896-121-0x0000000000000000-mapping.dmp

Download
memory/1240-146-0x00000000005115AA-mapping.dmp

Download
memory/1956-139-0x0000000002A91000-0x0000000002AA5000-memory.dmp

Filesize
80KB

Download
memory/1956-144-0x0000000003A61000-0x0000000003A78000-memory.dmp

Filesize
92KB

Download
memory/1956-143-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/1956-140-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/3564-118-0x00000000005115AA-mapping.dmp

Download
memory/3564-117-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3564-120-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3564-119-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3616-115-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/3664-137-0x0000000000000000-mapping.dmp

Download
memory/4080-125-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4080-124-0x00000000021A1000-0x00000000021B5000-memory.dmp

Filesize
80KB

Download