modiloader | 82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:42

Target

82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe
Size

745KB
MD5

7864fb038aa5c050aa4b50c4654531c0
SHA1

c8f403ee0b5f8ce556472acdca7271899b8897c0
SHA256

82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df
SHA512

520635a24eb273d6085de5ba4d76acec999988ccdc5d3e917465f6341110337cbe6f2fa9b5c64dca8703967a1377c0bf49f43069ef29d120a6606f306e3d5001
SSDEEP

12288:1UTfnK1qaa3TKM/9n0GDJP8Xn8/J1HBh5kF3Z4mxx2+jAh/078w5jAlCs:+TvYUTDKGDYn8/J1HBh6QmX2+ss7/lAN

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1396-136-0x0000000000400000-0x000000000057F600-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1396 set thread context of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5020	1396	WerFault.exe	81
3308	3040	WerFault.exe	84

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84
PID 1396 wrote to memory of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84
PID 1396 wrote to memory of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84
PID 1396 wrote to memory of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84
PID 1396 wrote to memory of 3040	1396	82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe	84

C:\Users\Admin\AppData\Local\Temp\82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe
"C:\Users\Admin\AppData\Local\Temp\82710d571d2e14e30e49cd8921e76a9b862aa32a8099bf6dec2d609f749408df.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 324
  2⤵
  - Program crash
  PID:5020
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\system32\mstsc.exe"
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 12
    3⤵
    - Program crash
    PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1396 -ip 1396
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3040 -ip 3040
1⤵
PID:1852

memory/1396-132-0x0000000000400000-0x000000000057F600-memory.dmp

Filesize
1.5MB

Download
memory/1396-133-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download
memory/1396-136-0x0000000000400000-0x000000000057F600-memory.dmp

Filesize
1.5MB

Download
memory/3040-135-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download