modiloader | 5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34

Analysis

max time kernel
22s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
Size

614KB
MD5

64c4b060401081eb18598792c6cab6b9
SHA1

ff1ee61e848a5ae6ae3e7c34bd5c7ae7ed965dab
SHA256

5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34
SHA512

11730fd2df071641c1554a3e0f48e5784bec89f2d00216565fe3c966d40c562429563921bae38d422c9be63ba3c045fc17492dd2f908cdfd0fd82a0849fe9c0a
SSDEEP

12288:iutrzh9xOXkyPaZf7eClizFGi4bOM/aKjhSVaiknpeOzR/0Oqvr0FJUL+LNinxg:iutr5OUyP0zeAAFG9H/aiSVaTpeYhzqW

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 12 IoCs

resource	yara_rule
behavioral1/files/0x00150000000054ab-55.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-56.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-58.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-60.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-61.dat	modiloader_stage2
behavioral1/files/0x00150000000054ab-66.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-79.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-80.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-83.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-81.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-85.dat	modiloader_stage2
behavioral1/files/0x0007000000013359-90.dat	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
1436	ptpmcc.exe
1408	ptpmcc.exe
560	nvvdir.exe
1376	nvvdir.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe	ptpmcc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe:Zone.Identifier	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
1436	ptpmcc.exe
1408	ptpmcc.exe
1408	ptpmcc.exe
560	nvvdir.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 1408	1436	ptpmcc.exe	29
PID 560 set thread context of 1376	560	nvvdir.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1376	nvvdir.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1952 wrote to memory of 1436	1952	5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe	28
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1436 wrote to memory of 1408	1436	ptpmcc.exe	29
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 924	1408	ptpmcc.exe	30
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 1408 wrote to memory of 560	1408	ptpmcc.exe	32
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33
PID 560 wrote to memory of 1376	560	nvvdir.exe	33

C:\Users\Admin\AppData\Local\Temp\5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe
"C:\Users\Admin\AppData\Local\Temp\5166c071608a077ab1fa6d6c7c69f150072603fe33a7dca4558b8945842f0e34.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe
  "C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe
    "C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C echo>"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe:Zone.Identifier"
      4⤵
      Drops startup file
      PID:924
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info300.xda

Filesize
39B

MD5
457fec66679f39ce2c1397241514cd92

SHA1
ca450296c8c9936837cf8b144dd463d9bfc51fe9

SHA256
01c7e8936ab6b5aae31b84977eb0498623ee0fc70b80a3e3baceb3164d364219

SHA512
6f26234577589095c81e2bc0cded79e22924c32f6710bef344b0183d10cc5953d323bf03d63c1075500d7235148125519b1d9eb0f8ac41ee478ff1c33446d386

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
C:\Users\Admin\AppData\Roaming\info300.xda

Filesize
39B

MD5
457fec66679f39ce2c1397241514cd92

SHA1
ca450296c8c9936837cf8b144dd463d9bfc51fe9

SHA256
01c7e8936ab6b5aae31b84977eb0498623ee0fc70b80a3e3baceb3164d364219

SHA512
6f26234577589095c81e2bc0cded79e22924c32f6710bef344b0183d10cc5953d323bf03d63c1075500d7235148125519b1d9eb0f8ac41ee478ff1c33446d386

Download Submit
\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
\Users\Admin\AppData\Local\Temp\ptpmcc.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvdir.exe

Filesize
553KB

MD5
13c63a639b4b22511c558c45333eed2e

SHA1
8474c43ab16b51e77b105f6afeae3db7a0a42edf

SHA256
fdd395382e2c4f50329fdde8b686cb40992f5e5c5abbfc23c0d107bc1dfcae22

SHA512
696449f323eaa15e008a00fa98f1f17723c32e38e2ae3c6186b2366b95b926039389eb28fff6973f5711c402e5094b6d82e76b190dc993da04116c540cb5494b

Download Submit
memory/1376-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1376-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1952-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download