modiloader | 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773

Analysis

max time kernel
181s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
Size

976KB
MD5

72d3cb6dec38a72bb9996cf50f9ca152
SHA1

fc0094507beca86633a2ff012a91d9e54a058c0d
SHA256

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773
SHA512

b3f1e45494120de1b50b7497f5ffa9f3ec105fdc3928d6951f8194a5c427d980d03c062d75f068714eb7540715e85aebf33211dafc9b6bdfaa8ac2207ee9214a
SSDEEP

12288:Rt1rtR29DwSwNy6ZgFwg0jPacng2WnAH+QIMYHCoDaMycZ+rfF8hWf:RnxhSwNy6eFGC+jv+QIPHtDocoJf

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-141-0x0000000002C40000-0x0000000002C89000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nikij = "C:\\Users\\Public\\Libraries\\jikiN.url"	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1232 4836 WerFault.exe 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

pid	pid_target	process	target process
1232	4836	WerFault.exe	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

pid	process
4836	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
4836	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
"C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1528
2⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4836 -ip 4836
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4836-133-0x00000000029B0000-0x00000000029CA000-memory.dmp

Filesize
104KB

Download
memory/4836-141-0x0000000002C40000-0x0000000002C89000-memory.dmp

Filesize
292KB

Download
memory/4836-148-0x0000000004470000-0x00000000047BA000-memory.dmp

Filesize
3.3MB

Download