modiloader | 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250

Analysis

max time kernel
9s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
Size

631KB
MD5

3784baf66addb63f047c26c39b40a34e
SHA1

7d7bff16796dad8052bd62c1fda5b4869d2dd279
SHA256

9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250
SHA512

b2865afc1a370fcc98fddab60f7af13d7e64263a53da19460417ec84d59fa6a77212c74e6c67ffe9a14f7643a6a06251b8e302be0ed0157cb28c37c01de64930
SSDEEP

12288:IzT2da7QDms9cKcTUy/xQZZZHCE+gffVUlj0OtlLwu6oGjc4ysHJUB3WnG1x03L:ILs9NO7/xWZHjzfVUljrbwu6oQcaHJUq

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1696-72-0x0000000000400000-0x00000000005BD000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1696	updata.exe
316	dogread.exe
1260	hl-dump.exe

Loads dropped DLL 6 IoCs

pid	Process
952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
316	dogread.exe
316	dogread.exe
316	dogread.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\FieleWay.txt	updata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	316	dogread.exe
Token: SeBackupPrivilege	316	dogread.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1696	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	28
PID 952 wrote to memory of 1696	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	28
PID 952 wrote to memory of 1696	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	28
PID 952 wrote to memory of 1696	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	28
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 952 wrote to memory of 316	952	9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe	29
PID 1696 wrote to memory of 656	1696	updata.exe	30
PID 1696 wrote to memory of 656	1696	updata.exe	30
PID 1696 wrote to memory of 656	1696	updata.exe	30
PID 1696 wrote to memory of 656	1696	updata.exe	30
PID 1696 wrote to memory of 656	1696	updata.exe	30
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 316 wrote to memory of 1392	316	dogread.exe	31
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33
PID 1392 wrote to memory of 1260	1392	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
"C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\updata.exe
  "C:\Users\Admin\AppData\Local\Temp\updata.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    3⤵
    PID:656
- C:\Users\Admin\AppData\Local\Temp\dogread.exe
  "C:\Users\Admin\AppData\Local\Temp\dogread.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\pmrt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - \??\c:\hl-dump.exe
      HL-DUMP.EXE /DUMP 0x1A5
      4⤵
      Executes dropped EXE
      PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
C:\hl-dump.exe

Filesize
48KB

MD5
2dfd1a748cef1517e800f7ae47468e5e

SHA1
c405de71e09a9bdb8227350c6d08f15cd57699a7

SHA256
edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294

SHA512
0cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39

Download Submit
C:\pmrt.bat

Filesize
27B

MD5
31ae2e45e85e14364ded10ba72d7b890

SHA1
22185e0a4efb576acd354214a6d5f20148df728a

SHA256
4d286da7d903b751bf2c1b8cb5ea27e41d3f4fadc28a18b02a24449e7b70f008

SHA512
86a75c0b7eec3f94f0a569c6d7e25a9c5ed0292c40acca85f866d9192cd2699c53b671cc4c36456be7f26ff78e865be1150545515aef6d4d4645ddc9eee60dc9

Download Submit
\??\c:\hl-dump.exe

Filesize
48KB

MD5
2dfd1a748cef1517e800f7ae47468e5e

SHA1
c405de71e09a9bdb8227350c6d08f15cd57699a7

SHA256
edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294

SHA512
0cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39

Download Submit
\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
\Users\Admin\AppData\Local\Temp\dogread.exe

Filesize
122KB

MD5
1d3cbd544ec48f18423c96c76da4c0af

SHA1
d123df62d3ca19540b0d4c0d133710f429b27f7c

SHA256
4c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb

SHA512
0091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb

Download Submit
\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
475KB

MD5
d09d5b5f770cbfef800e596854f3bc72

SHA1
07b47383ba6a29d67ecb9b32948e2915c0e8e5b9

SHA256
3a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb

SHA512
761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc

Download Submit
memory/656-70-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/952-63-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/952-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1696-72-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download