modiloader | 23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff

Analysis

max time kernel
146s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
Size

767KB
MD5

ceadb6ba9affc991bf727f0ea211a6bc
SHA1

6b01562026b36b93ea1fe13a13baa70114795da2
SHA256

23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff
SHA512

c6ac1817afa04ae1d36516037525333f5cbab879f8f2cd460a05a96e3211346a164c195bf2d674ea940c1038655241a3e73b6847fbb17c6d4dec0f24e8d247eb
SSDEEP

12288:iOrAkZrlpZxc3NKqgw9ONuRJoo5YqTdTB2O4rwSMpxwhx2g:is3hp4c6/aq5oOqLM2xJ

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21821&authkey=AM_sm-3HDCFDLks

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5020-132-0x00000000029A0000-0x00000000029CC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 1712 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1040 5020 WerFault.exe SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1712 powershell.exe
1712 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1712 powershell.exe

flow	pid	process
24	1712	powershell.exe

pid	pid_target	process	target process
1040	5020	WerFault.exe	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe

pid	process
1712	powershell.exe
1712	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Win32.Malware-gen.5701.3804.execmd.exe

description	pid	process	target process
PID 5020 wrote to memory of 176	5020	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 5020 wrote to memory of 176	5020	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 5020 wrote to memory of 176	5020	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	cmd.exe
PID 176 wrote to memory of 1712	176	cmd.exe	powershell.exe
PID 176 wrote to memory of 1712	176	cmd.exe	powershell.exe
PID 176 wrote to memory of 1712	176	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1240
2⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5020 -ip 5020
1⤵
PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat
Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1
Filesize
241B

MD5
83552af8bb844fb94f5a060812a60916

SHA1
bc4531b44bf18bcb350dbb77d0d336f76003b857

SHA256
b026b30bab4811744016b5ff6741e7e93a69b20732f43ef1d5dcf9a78a0722f9

SHA512
f0ef2c3553b5ffa1de203905527197408ca1c764772ae405895ff8b28efbd06f0bea1e42d61a9924016fe4a3044494c4e5521a6b90693a98562a5cbb2d3ead68

Download Submit
memory/176-134-0x0000000000000000-mapping.dmp

Download
memory/1712-139-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/1712-137-0x0000000004B90000-0x0000000004BC6000-memory.dmp

Filesize
216KB

Download
memory/1712-138-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/1712-140-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/1712-141-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/1712-142-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/1712-136-0x0000000000000000-mapping.dmp

Download
memory/1712-144-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/1712-145-0x00000000066E0000-0x00000000066FA000-memory.dmp

Filesize
104KB

Download
memory/5020-132-0x00000000029A0000-0x00000000029CC000-memory.dmp

Filesize
176KB

Download