modiloader | 10f5584682c3f5d54ba1e3afd68822c81e8234531c8b1a41e11774b980915c72

Analysis

Target

DHL_119040 документ о получении,doc.exe
Size

756KB
MD5

3b62d1c0b3151a63ebc779d8723596f3
SHA1

865a6e4b1e90b8d4d8e27f13b6795df84267b70c
SHA256

10f5584682c3f5d54ba1e3afd68822c81e8234531c8b1a41e11774b980915c72
SHA512

85d36bf7f352e0d9dd39b5f9646b977dbdbe44bae176a07f78ca4cf1323121fdba68fbb9e8e3d4d90ed9803bc0a66ec9641714d8f9d58a9282c4f7b014e7ca0a

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1884-56-0x0000000001D21000-0x0000000001D35000-memory.dmp	modiloader_stage1

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

696 1884 WerFault.exe DHL_119040 документ о получении,doc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

696 WerFault.exe
696 WerFault.exe
696 WerFault.exe
696 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

696 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 696 WerFault.exe

pid	pid_target	process	target process
696	1884	WerFault.exe	DHL_119040 документ о получении,doc.exe

pid	process
696	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	696	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DHL_119040 документ о получении,doc.exe

description	pid	process	target process
PID 1884 wrote to memory of 696	1884	DHL_119040 документ о получении,doc.exe	WerFault.exe
PID 1884 wrote to memory of 696	1884	DHL_119040 документ о получении,doc.exe	WerFault.exe
PID 1884 wrote to memory of 696	1884	DHL_119040 документ о получении,doc.exe	WerFault.exe
PID 1884 wrote to memory of 696	1884	DHL_119040 документ о получении,doc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL_119040 документ о получении,doc.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_119040 документ о получении,doc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 612
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:696

memory/696-57-0x0000000000000000-mapping.dmp

Download
memory/696-58-0x0000000001D10000-0x0000000001DD4000-memory.dmp

Filesize
784KB

Download
memory/1884-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1884-56-0x0000000001D21000-0x0000000001D35000-memory.dmp

Filesize
80KB

Download