modiloader | 85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Payment Copy .xla.exe
Size

793KB
MD5

1721e78ab207e52b366bf7a7723a656b
SHA1

d2cbaf931dc21807ae5f3ac477810f7f537d444e
SHA256

85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec
SHA512

c03920bed87494876f7683ae7081c8977b90165e0645fe5b410dff13be305a61e60fef698972019a57074d7c9a2aa4ca0cf2089f66c323e70aaff73ee1a60510
SSDEEP

12288:VV2cbnbazcd5JluSVVvkYhrN+kZt+kXPqTdTB2O4rwSMpxwhxStY:V4cnOcd53uSVVJRskZQWq5oOqLM2xS+

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21815&authkey=AO1B_84jlgMTl9c

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-132-0x00000000022B0000-0x00000000022DC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 736 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1472 4528 WerFault.exe Swift Payment Copy .xla.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

736 powershell.exe
736 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 736 powershell.exe

flow	pid	process
11	736	powershell.exe

pid	pid_target	process	target process
1472	4528	WerFault.exe	Swift Payment Copy .xla.exe

pid	process
736	powershell.exe
736	powershell.exe

description	pid	process
Token: SeDebugPrivilege	736	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Swift Payment Copy .xla.execmd.exe

description	pid	process	target process
PID 4528 wrote to memory of 4904	4528	Swift Payment Copy .xla.exe	cmd.exe
PID 4528 wrote to memory of 4904	4528	Swift Payment Copy .xla.exe	cmd.exe
PID 4528 wrote to memory of 4904	4528	Swift Payment Copy .xla.exe	cmd.exe
PID 4904 wrote to memory of 736	4904	cmd.exe	powershell.exe
PID 4904 wrote to memory of 736	4904	cmd.exe	powershell.exe
PID 4904 wrote to memory of 736	4904	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy .xla.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Payment Copy .xla.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1188
2⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4528 -ip 4528
1⤵
PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
241B

MD5
16347e9f1fab632cc9f3bda14900ac97

SHA1
9d7838e4d9693b0911028a1976d3179dfc17c583

SHA256
25cef2e7db529683a3725c54e4cf7a596c872a5e42519095ce2fe5730888e57e

SHA512
9bde664979109e99f7d9a3bc70783befd706a722f8e9b0e3f5da177e0d4c0746b15dd929d882439479817822edc1b384a645a3617585de8215bcdf90d9001f67

Download Submit
memory/736-139-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/736-136-0x0000000000000000-mapping.dmp

Download
memory/736-137-0x0000000004D40000-0x0000000004D76000-memory.dmp

Filesize
216KB

Download
memory/736-138-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/736-140-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/736-141-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/736-142-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/736-144-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/736-145-0x0000000006880000-0x000000000689A000-memory.dmp

Filesize
104KB

Download
memory/4528-132-0x00000000022B0000-0x00000000022DC000-memory.dmp

Filesize
176KB

Download
memory/4904-134-0x0000000000000000-mapping.dmp

Download