modiloader | 430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0

Analysis

max time kernel
188s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revised Enquiry.exe
Size

793KB
MD5

9a8aed85e68f62b931e430cdf467d84a
SHA1

9928c00afdb391518123911181af30bf054cf56c
SHA256

430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
SHA512

8f643eaa2455f3fbca39869888987ad3e21b974073978d9eb82d93bf4c49726d4acb579280de90fcf3a3d215dfeba1cd494f76447b563b17e6959b233d51539f
SSDEEP

12288:VV2cbnbazcd5JluSVVvkYhrN+k3t+kXPqTdTB2O4rwSMpxwhxStY5:V4cnOcd53uSVVJRsk3QWq5oOqLM2xS+5

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1VYeqnIRBP80Vu3udEWt23pq_2mnbwUeG

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5112-132-0x00000000022D0000-0x00000000022FC000-memory.dmp	modiloader_stage2

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4876 powershell.exe
4876 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4876 powershell.exe

pid	process
4876	powershell.exe
4876	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4876	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Revised Enquiry.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 2104	5112	Revised Enquiry.exe	cmd.exe
PID 5112 wrote to memory of 2104	5112	Revised Enquiry.exe	cmd.exe
PID 5112 wrote to memory of 2104	5112	Revised Enquiry.exe	cmd.exe
PID 2104 wrote to memory of 4876	2104	cmd.exe	powershell.exe
PID 2104 wrote to memory of 4876	2104	cmd.exe	powershell.exe
PID 2104 wrote to memory of 4876	2104	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Revised Enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Enquiry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat
Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1
Filesize
213B

MD5
182aa3627ab898f7022c5b9a40733e3d

SHA1
9cd0b3ae83ec53e1ed9fbd41ebd33dc7ddc8b613

SHA256
dd6497297dd7101ad08cda68b64e342d088d174b54e7f562d2bb0df0f010318a

SHA512
020db17bd62235bc6765d33ecace7559c4fb7df9c89ddc2245a381dd70414448472652522c45a5bc03fc0d8588cf69ce4bc10bfee6c9d67fc959cfdd78d8aedb

Download Submit
memory/2104-134-0x0000000000000000-mapping.dmp

Download
memory/4876-139-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/4876-137-0x0000000004800000-0x0000000004836000-memory.dmp

Filesize
216KB

Download
memory/4876-138-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4876-140-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4876-141-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4876-142-0x0000000004B20000-0x0000000004B3E000-memory.dmp

Filesize
120KB

Download
memory/4876-136-0x0000000000000000-mapping.dmp

Download
memory/4876-144-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/4876-145-0x0000000006240000-0x000000000625A000-memory.dmp

Filesize
104KB

Download
memory/5112-132-0x00000000022D0000-0x00000000022FC000-memory.dmp

Filesize
176KB

Download