modiloader | 23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff

Analysis

max time kernel
57s
max time network
64s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:34

Target

SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
Size

767KB
MD5

ceadb6ba9affc991bf727f0ea211a6bc
SHA1

6b01562026b36b93ea1fe13a13baa70114795da2
SHA256

23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff
SHA512

c6ac1817afa04ae1d36516037525333f5cbab879f8f2cd460a05a96e3211346a164c195bf2d674ea940c1038655241a3e73b6847fbb17c6d4dec0f24e8d247eb
SSDEEP

12288:iOrAkZrlpZxc3NKqgw9ONuRJoo5YqTdTB2O4rwSMpxwhx2g:is3hp4c6/aq5oOqLM2xJ

Score

10^/10

modiloader trojan

Language

ps1

Deobfuscated

URLs

exe.dropper

https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21821&authkey=AM_sm-3HDCFDLks

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1672-55-0x00000000003D0000-0x00000000003FC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 2028 powershell.exe
7 2028 powershell.exe
9 2028 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1144 1672 WerFault.exe SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2028 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2028 powershell.exe

pid	pid_target	process	target process
1144	1672	WerFault.exe	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe

pid	process
2028	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Win32.Malware-gen.5701.3804.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 960 wrote to memory of 2028	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 2028	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 2028	960	cmd.exe	powershell.exe
PID 960 wrote to memory of 2028	960	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1144	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	WerFault.exe
PID 1672 wrote to memory of 1144	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	WerFault.exe
PID 1672 wrote to memory of 1144	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	WerFault.exe
PID 1672 wrote to memory of 1144	1672	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 604
2⤵
- Program crash
PID:1144

C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
241B

MD5
83552af8bb844fb94f5a060812a60916

SHA1
bc4531b44bf18bcb350dbb77d0d336f76003b857

SHA256
b026b30bab4811744016b5ff6741e7e93a69b20732f43ef1d5dcf9a78a0722f9

SHA512
f0ef2c3553b5ffa1de203905527197408ca1c764772ae405895ff8b28efbd06f0bea1e42d61a9924016fe4a3044494c4e5521a6b90693a98562a5cbb2d3ead68

Download Submit
memory/960-57-0x0000000000000000-mapping.dmp

Download
memory/1144-64-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download
memory/2028-61-0x00000000731C0000-0x000000007376B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-63-0x00000000731C0000-0x000000007376B000-memory.dmp

Filesize
5.7MB

Download