modiloader | 9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe
Size

121KB
MD5

dbe59c36347ef1e20daa4792db8854bc
SHA1

54d408f1e51c5aee2a8abc807125d285f896a951
SHA256

9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526
SHA512

72c2f4346c56a0042d98edcd709ea001ad5c9c770e3a6b4a4e27e26f36517f64ced738ca9a45b3aa4195dc30207f9ae494b6e4981dbffd55e8b8a8e95da8a80f
SSDEEP

3072:13quxI9jBPsJDPC8vvlKSxT5nDamTrJBZGYrodJzpHFj2OjrA0:tSjBkD3vljx9DamvJBQAoZB2480

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1408-55-0x0000000000010000-0x0000000000040000-memory.dmp	modiloader_stage2
behavioral1/memory/1408-58-0x0000000000010000-0x0000000000040000-memory.dmp	modiloader_stage2
behavioral1/memory/1380-61-0x0000000000010000-0x0000000000040000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

apocalyps32.exe

pid process

1380 apocalyps32.exe

pid	process
1380	apocalyps32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1408-55-0x0000000000010000-0x0000000000040000-memory.dmp	upx
behavioral1/memory/1408-58-0x0000000000010000-0x0000000000040000-memory.dmp	upx
C:\Windows\apocalyps32.exe	upx
C:\Windows\apocalyps32.exe	upx
behavioral1/memory/1380-61-0x0000000000010000-0x0000000000040000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exeapocalyps32.exe

description	ioc	process
File created	C:\Windows\apocalyps32.exe	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe
File opened for modification	C:\Windows\apocalyps32.exe	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exeapocalyps32.exe

description	pid	process	target process
PID 1408 wrote to memory of 1380	1408	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe	apocalyps32.exe
PID 1408 wrote to memory of 1380	1408	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe	apocalyps32.exe
PID 1408 wrote to memory of 1380	1408	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe	apocalyps32.exe
PID 1408 wrote to memory of 1380	1408	9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe	apocalyps32.exe
PID 1380 wrote to memory of 1944	1380	apocalyps32.exe	iexplore.exe
PID 1380 wrote to memory of 1944	1380	apocalyps32.exe	iexplore.exe
PID 1380 wrote to memory of 1944	1380	apocalyps32.exe	iexplore.exe
PID 1380 wrote to memory of 1944	1380	apocalyps32.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe
"C:\Users\Admin\AppData\Local\Temp\9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\apocalyps32.exe
-bs
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files\Internet Explorer\iexplore.exe
-bs
3⤵
PID:1944

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe
Filesize
121KB

MD5
dbe59c36347ef1e20daa4792db8854bc

SHA1
54d408f1e51c5aee2a8abc807125d285f896a951

SHA256
9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526

SHA512
72c2f4346c56a0042d98edcd709ea001ad5c9c770e3a6b4a4e27e26f36517f64ced738ca9a45b3aa4195dc30207f9ae494b6e4981dbffd55e8b8a8e95da8a80f

Download Submit
C:\Windows\apocalyps32.exe
Filesize
121KB

MD5
dbe59c36347ef1e20daa4792db8854bc

SHA1
54d408f1e51c5aee2a8abc807125d285f896a951

SHA256
9a846ec5a1870ab0d0f86606cbc9368c0b3b716464ae47162f382fea156fd526

SHA512
72c2f4346c56a0042d98edcd709ea001ad5c9c770e3a6b4a4e27e26f36517f64ced738ca9a45b3aa4195dc30207f9ae494b6e4981dbffd55e8b8a8e95da8a80f

Download Submit
memory/1380-56-0x0000000000000000-mapping.dmp

Download
memory/1380-61-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-55-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/1408-58-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads