modiloader | 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d

Analysis

max time kernel
147s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
Size

2.3MB
MD5

955ccd6df107b42537086c85a58e9eb4
SHA1

f2bce5d73b6445fe7d4e284fb68ba6195a6d78c3
SHA256

1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d
SHA512

5af3c1d57846f1c5e8cb0c6652bcbf179897e012f71794f5c0e6be8ca366a7b7881a036a86572e7a25f01b292c2c6dd64d086bdce9998183690dd75af8174f1d
SSDEEP

49152:zH67oc//////RTQ7CKmmFDmYVvURnhGMm5oH2+KulIjescZp71Pnxw/Z:zH67oc//////wmUK1pW3LWCB

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\enk8631.tmp	acprotect
\Users\Admin\AppData\Local\Temp\enk8631.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\enk8631.tmp	acprotect

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\server.exe	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

ÁÐ±íÉú³É.exeserver.exe

pid process

1680 ÁÐ±íÉú³É.exe
1900 server.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.exeÁÐ±íÉú³É.exeserver.exe

pid process

1016 cmd.exe
1516 cmd.exe
1516 cmd.exe
1680 ÁÐ±íÉú³É.exe
1900 server.exe
Drops file in Program Files directory 1 IoCs

Processes:

server.exe

description ioc process

File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ÁÐ±íÉú³É.exe

pid process

1680 ÁÐ±íÉú³É.exe

pid	process
1680	ÁÐ±íÉú³É.exe
1900	server.exe

pid	process
1016	cmd.exe
1516	cmd.exe
1516	cmd.exe
1680	ÁÐ±íÉú³É.exe
1900	server.exe

description	ioc	process
File created	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt	server.exe

pid	process
1680	ÁÐ±íÉú³É.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.execmd.execmd.exeserver.exe

description	pid	process	target process
PID 1508 wrote to memory of 1516	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1516	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1516	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1516	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1016	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1016	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1016	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1508 wrote to memory of 1016	1508	1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe	cmd.exe
PID 1516 wrote to memory of 1680	1516	cmd.exe	ÁÐ±íÉú³É.exe
PID 1516 wrote to memory of 1680	1516	cmd.exe	ÁÐ±íÉú³É.exe
PID 1516 wrote to memory of 1680	1516	cmd.exe	ÁÐ±íÉú³É.exe
PID 1516 wrote to memory of 1680	1516	cmd.exe	ÁÐ±íÉú³É.exe
PID 1016 wrote to memory of 1900	1016	cmd.exe	server.exe
PID 1016 wrote to memory of 1900	1016	cmd.exe	server.exe
PID 1016 wrote to memory of 1900	1016	cmd.exe	server.exe
PID 1016 wrote to memory of 1900	1016	cmd.exe	server.exe
PID 1900 wrote to memory of 972	1900	server.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 972	1900	server.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 972	1900	server.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 972	1900	server.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
"C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
C:\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1900

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
4⤵
PID:972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enk8631.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
678KB

MD5
6adb5a299c5a8fe28e433831ae3656d2

SHA1
2b29580575dd3006da304682d09176fa99b45e36

SHA256
192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1

SHA512
252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
678KB

MD5
6adb5a299c5a8fe28e433831ae3656d2

SHA1
2b29580575dd3006da304682d09176fa99b45e36

SHA256
192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1

SHA512
252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
Filesize
1.3MB

MD5
8b8686b0102c444b5bdfa5a722edd236

SHA1
b7af6290a9d670519bccf04361dc44c58577f6c8

SHA256
347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03

SHA512
57a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
Filesize
1.3MB

MD5
8b8686b0102c444b5bdfa5a722edd236

SHA1
b7af6290a9d670519bccf04361dc44c58577f6c8

SHA256
347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03

SHA512
57a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790

Download Submit
\Users\Admin\AppData\Local\Temp\enk8631.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\enk8631.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
678KB

MD5
6adb5a299c5a8fe28e433831ae3656d2

SHA1
2b29580575dd3006da304682d09176fa99b45e36

SHA256
192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1

SHA512
252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a

Download Submit
\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
Filesize
1.3MB

MD5
8b8686b0102c444b5bdfa5a722edd236

SHA1
b7af6290a9d670519bccf04361dc44c58577f6c8

SHA256
347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03

SHA512
57a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790

Download Submit
\Users\Admin\AppData\Local\Temp\ÁÐ±íÉú³É.exe
Filesize
1.3MB

MD5
8b8686b0102c444b5bdfa5a722edd236

SHA1
b7af6290a9d670519bccf04361dc44c58577f6c8

SHA256
347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03

SHA512
57a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790

Download Submit
memory/1016-55-0x0000000000000000-mapping.dmp

Download
memory/1516-54-0x0000000000000000-mapping.dmp

Download
memory/1516-67-0x0000000002040000-0x0000000002166000-memory.dmp

Filesize
1.1MB

Download
memory/1680-63-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1680-68-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1680-61-0x0000000000000000-mapping.dmp

Download
memory/1680-73-0x0000000001D30000-0x0000000001DA3000-memory.dmp

Filesize
460KB

Download
memory/1680-74-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1680-75-0x0000000001D30000-0x0000000001DA3000-memory.dmp

Filesize
460KB

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download
memory/1900-72-0x0000000001C50000-0x0000000001CC3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads