modiloader | c3cad19e8bc07f55ab393e01ebc0aec04d0ce3f646a0aa2b3b78ea0e12771f29

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

server.exe
Size

174KB
MD5

f524b3f80cdf6522ee17536d51079f1e
SHA1

d1e908a0d08d143027c99b4992d083d37410e06a
SHA256

16d794e7f97da1a35744d11253f23f0fe60203ef2ed090c83f6e2b322c61bdae
SHA512

60908219fe4b40b98d25f950c1e850ff6a9e47d5823a2b6df777f20f3edd8281b013d30bd52a3801bff90ba4028d22404467ea46d1dac1ced4efacd5aea63ae0
SSDEEP

3072:25l5SHLfLpygi+pyByB5LnRlshG05ZjZZ4vbABAGcdYRGuD2CsW:klSpy/aiyB5L0hj5i5uDpB

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/3392-140-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2
behavioral2/memory/3392-141-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2
behavioral2/memory/3392-142-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
520	netservice.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/520-137-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3392-140-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3392-141-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3392-142-0x0000000010410000-0x000000001046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3548	server.exe
3548	server.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	netservice.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe
Token: SeIncBasePriorityPrivilege	3392	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 756	3548	server.exe	80
PID 3548 wrote to memory of 756	3548	server.exe	80
PID 3548 wrote to memory of 756	3548	server.exe	80
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82
PID 520 wrote to memory of 3392	520	netservice.exe	82

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  PID:756

C:\Users\Admin\Favorites\netservice.exe
C:\Users\Admin\Favorites\netservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\netservice.exe

Filesize
174KB

MD5
f524b3f80cdf6522ee17536d51079f1e

SHA1
d1e908a0d08d143027c99b4992d083d37410e06a

SHA256
16d794e7f97da1a35744d11253f23f0fe60203ef2ed090c83f6e2b322c61bdae

SHA512
60908219fe4b40b98d25f950c1e850ff6a9e47d5823a2b6df777f20f3edd8281b013d30bd52a3801bff90ba4028d22404467ea46d1dac1ced4efacd5aea63ae0

Download Submit
C:\Users\Admin\Favorites\netservice.exe

Filesize
174KB

MD5
f524b3f80cdf6522ee17536d51079f1e

SHA1
d1e908a0d08d143027c99b4992d083d37410e06a

SHA256
16d794e7f97da1a35744d11253f23f0fe60203ef2ed090c83f6e2b322c61bdae

SHA512
60908219fe4b40b98d25f950c1e850ff6a9e47d5823a2b6df777f20f3edd8281b013d30bd52a3801bff90ba4028d22404467ea46d1dac1ced4efacd5aea63ae0

Download Submit
memory/520-137-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/756-134-0x0000000000000000-mapping.dmp

Download
memory/3392-136-0x0000000000000000-mapping.dmp

Download
memory/3392-140-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/3392-141-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/3392-142-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download