modiloader | 8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

General

Target

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
Size

203KB
MD5

d406f8e4f555b2ffe68f66aa2162c6a7
SHA1

c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1
SHA256

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6
SHA512

4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50
SSDEEP

6144:k3nkFBFh2HhmbpKJfptLtKo7P3CEGP7ALD0X:k3kFBFecKhptAQoP74D0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\msnnmaneger.exe	modiloader_stage2
C:\Windows\SysWOW64\msnnmaneger.exe	modiloader_stage2
C:\Windows\SysWOW64\msnnmaneger.exe	modiloader_stage2
C:\Windows\SysWOW64\msnnmaneger.exe	modiloader_stage2
C:\Windows\SysWOW64\msnnmaneger.exe	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

msnnmaneger.exemsnnmaneger.exemsnnmaneger.exemsnnmaneger.exe

pid process

4968 msnnmaneger.exe
4760 msnnmaneger.exe
4724 msnnmaneger.exe
1732 msnnmaneger.exe

pid	process
4968	msnnmaneger.exe
4760	msnnmaneger.exe
4724	msnnmaneger.exe
1732	msnnmaneger.exe

Drops file in System32 directory 4 IoCs

Processes:

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exemsnnmaneger.exemsnnmaneger.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msnnmaneger.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
File opened for modification	C:\Windows\SysWOW64\msnnmaneger.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe
File created	C:\Windows\SysWOW64\msnnmaneger.exe	msnnmaneger.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exemsnnmaneger.exemsnnmaneger.exe

description	pid	process	target process
PID 1224 set thread context of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 4968 set thread context of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4724 set thread context of 1732	4724	msnnmaneger.exe	msnnmaneger.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exemsnnmaneger.exemsnnmaneger.exe

pid	process
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
4760	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe
1732	msnnmaneger.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exemsnnmaneger.exemsnnmaneger.exemsnnmaneger.exe

description	pid	process	target process
PID 1224 wrote to memory of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 1224 wrote to memory of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 1224 wrote to memory of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 1224 wrote to memory of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 1224 wrote to memory of 4340	1224	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
PID 4340 wrote to memory of 4968	4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	msnnmaneger.exe
PID 4340 wrote to memory of 4968	4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	msnnmaneger.exe
PID 4340 wrote to memory of 4968	4340	8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe	msnnmaneger.exe
PID 4968 wrote to memory of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4968 wrote to memory of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4968 wrote to memory of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4968 wrote to memory of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4968 wrote to memory of 4760	4968	msnnmaneger.exe	msnnmaneger.exe
PID 4760 wrote to memory of 4724	4760	msnnmaneger.exe	msnnmaneger.exe
PID 4760 wrote to memory of 4724	4760	msnnmaneger.exe	msnnmaneger.exe
PID 4760 wrote to memory of 4724	4760	msnnmaneger.exe	msnnmaneger.exe
PID 4724 wrote to memory of 1732	4724	msnnmaneger.exe	msnnmaneger.exe
PID 4724 wrote to memory of 1732	4724	msnnmaneger.exe	msnnmaneger.exe
PID 4724 wrote to memory of 1732	4724	msnnmaneger.exe	msnnmaneger.exe
PID 4724 wrote to memory of 1732	4724	msnnmaneger.exe	msnnmaneger.exe
PID 4724 wrote to memory of 1732	4724	msnnmaneger.exe	msnnmaneger.exe

C:\Users\Admin\AppData\Local\Temp\8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
"C:\Users\Admin\AppData\Local\Temp\8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
  C:\Users\Admin\AppData\Local\Temp\8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\msnnmaneger.exe
    C:\Windows\system32\msnnmaneger.exe -bai C:\Users\Admin\AppData\Local\Temp\8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\msnnmaneger.exe
      C:\Windows\SysWOW64\msnnmaneger.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\SysWOW64\msnnmaneger.exe
        
        C:\Windows\system32\msnnmaneger.exe -bai C:\Windows\SysWOW64\msnnmaneger.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\SysWOW64\msnnmaneger.exe
        
        C:\Windows\SysWOW64\msnnmaneger.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msnnmaneger.exe

Filesize
203KB

MD5
d406f8e4f555b2ffe68f66aa2162c6a7

SHA1
c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1

SHA256
8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

SHA512
4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50

Download Submit
C:\Windows\SysWOW64\msnnmaneger.exe

Filesize
203KB

MD5
d406f8e4f555b2ffe68f66aa2162c6a7

SHA1
c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1

SHA256
8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

SHA512
4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50

Download Submit
C:\Windows\SysWOW64\msnnmaneger.exe

Filesize
203KB

MD5
d406f8e4f555b2ffe68f66aa2162c6a7

SHA1
c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1

SHA256
8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

SHA512
4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50

Download Submit
C:\Windows\SysWOW64\msnnmaneger.exe

Filesize
203KB

MD5
d406f8e4f555b2ffe68f66aa2162c6a7

SHA1
c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1

SHA256
8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

SHA512
4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50

Download Submit
C:\Windows\SysWOW64\msnnmaneger.exe

Filesize
203KB

MD5
d406f8e4f555b2ffe68f66aa2162c6a7

SHA1
c7e96ae10742d849fa2c3d79cce3f8f3bf4a30d1

SHA256
8ac8a90abd6e9ecec360a5051ea2de42dfe2d7c0ae95638c16a5dd9dab7e7fe6

SHA512
4233b71a60237c699ae2d1a6c53ceb9267878c2594853933f10dcdc316dc95e22d44ee5fcd4c0577298ab68cfb3047a00fc8d246e116900cd4e554db272f7c50

Download Submit
memory/1732-152-0x0000000000000000-mapping.dmp

Download
memory/1732-158-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/1732-157-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/1732-156-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-137-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-136-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-141-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-135-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-133-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4340-132-0x0000000000000000-mapping.dmp

Download
memory/4724-149-0x0000000000000000-mapping.dmp

Download
memory/4760-147-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4760-151-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4760-148-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4760-146-0x0000000000400000-0x000000000103B000-memory.dmp

Filesize
12.2MB

Download
memory/4760-142-0x0000000000000000-mapping.dmp

Download
memory/4968-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads