modiloader | 8f01c9abb0d4ccb6a1791ce880262f4cd205e0a3ee3c7a5ca9cc92694c1e179d

Analysis

max time kernel
32s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

java.exe
Size

380KB
MD5

1ab27b63c1a49193f4b2f1f9554ca91b
SHA1

a746201024f0cd21e1d10f4d435510e3f4de33d2
SHA256

a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237
SHA512

03d41630e4d4cae5058ad3e9080e53e1657c1f1bae2503410551656cbc1e575b06f8828189ead40e1f96eb7a85bb5e292f2ebea952cc362a7ef6c61d7c2a9af5
SSDEEP

6144:Hk8u7jp9fQ6u+JUuWj2bL30ct3PUgXjgc/kS8vyiYESWT5kLo8Xb0FAFnQslaHu3:UplTUJ2bLkct3s1c/kS8vyiYMT5kLoWt

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/360-57-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/548-64-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/548-69-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1680-75-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1664-82-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1920-89-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1484-96-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1020-104-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2
behavioral1/memory/1092-110-0x0000000000400000-0x0000000000482000-memory.dmp	modiloader_stage2

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1344 1092 WerFault.exe java.exe

pid	pid_target	process	target process
1344	1092	WerFault.exe	java.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

java.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

description	pid	process	target process
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 360 wrote to memory of 548	360	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 548 wrote to memory of 1680	548	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1680 wrote to memory of 1664	1680	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1664 wrote to memory of 1920	1664	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1920 wrote to memory of 1484	1920	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1484 wrote to memory of 1020	1484	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1020 wrote to memory of 1092	1020	java.exe	java.exe
PID 1092 wrote to memory of 1344	1092	java.exe	WerFault.exe
PID 1092 wrote to memory of 1344	1092	java.exe	WerFault.exe
PID 1092 wrote to memory of 1344	1092	java.exe	WerFault.exe
PID 1092 wrote to memory of 1344	1092	java.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 608
9⤵
- Program crash
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSJavx86.exe

Filesize
408KB

MD5
9e180ca72b208490d6c96ef2f022cd0b

SHA1
b825a029383ca68cd51cf7dc2ee9418ad3a05bb9

SHA256
676fab8ec046888f98e8b61bec9ac10fe561f7d3004af1a60692396f80fe98f7

SHA512
3cded93e2062dbf141225a90cf49d75b5c4c89862ed3809b4ace2ffaa63811993c44d9aa10e44120f41595c32aecf8c3dde586c0c1721299cc6b115f4ee9dd24

Download Submit
memory/360-59-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/360-62-0x0000000001D61000-0x0000000001D65000-memory.dmp

Filesize
16KB

Download
memory/360-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/360-61-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/360-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/360-55-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/548-65-0x0000000000511000-0x0000000000515000-memory.dmp

Filesize
16KB

Download
memory/548-66-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/548-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/548-71-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/548-67-0x0000000001F41000-0x0000000001F45000-memory.dmp

Filesize
16KB

Download
memory/548-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/548-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/548-56-0x0000000000000000-mapping.dmp

Download
memory/1020-105-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1020-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1020-98-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1020-95-0x0000000000000000-mapping.dmp

Download
memory/1092-103-0x0000000000000000-mapping.dmp

Download
memory/1092-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1092-111-0x0000000000490000-0x00000000004C9000-memory.dmp

Filesize
228KB

Download
memory/1092-112-0x0000000001D31000-0x0000000001D35000-memory.dmp

Filesize
16KB

Download
memory/1344-109-0x0000000000000000-mapping.dmp

Download
memory/1484-99-0x0000000000330000-0x0000000000369000-memory.dmp

Filesize
228KB

Download
memory/1484-100-0x0000000001FF1000-0x0000000001FF5000-memory.dmp

Filesize
16KB

Download
memory/1484-113-0x0000000000330000-0x0000000000369000-memory.dmp

Filesize
228KB

Download
memory/1484-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1484-88-0x0000000000000000-mapping.dmp

Download
memory/1664-84-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1664-86-0x0000000000581000-0x0000000000585000-memory.dmp

Filesize
16KB

Download
memory/1664-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1664-74-0x0000000000000000-mapping.dmp

Download
memory/1680-79-0x0000000000490000-0x00000000004C9000-memory.dmp

Filesize
228KB

Download
memory/1680-77-0x0000000001D81000-0x0000000001D85000-memory.dmp

Filesize
16KB

Download
memory/1680-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1680-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1680-68-0x0000000000000000-mapping.dmp

Download
memory/1920-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1920-81-0x0000000000000000-mapping.dmp

Download
memory/1920-91-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/1920-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1920-93-0x0000000000551000-0x0000000000555000-memory.dmp

Filesize
16KB

Download