modiloader | 431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe
Size

394KB
MD5

8b2f6f640f480986db7b2cd78e40db19
SHA1

f8208a39a8e9f20cc44a10c9a0a19e91feb71a88
SHA256

431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0
SHA512

971db5a6c7ca94cbc720566db3c3290c42478535aecdaafa35c82a26c239a205f9e927bd36a959654e76d3307b2550ff2d3f69b41fe095ae5c833191b703c99e
SSDEEP

6144:toLb5nZUXEdvJIBsPdeUfdrTpIsjleEWzKz+K6LrOoiihuy5X6vlpJLe4zsrse:KtZxwocKJDlejIYRX6vl3CbZ

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022dfe-133.dat	modiloader_stage2
behavioral2/files/0x0002000000022dfe-134.dat	modiloader_stage2
behavioral2/memory/3084-135-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3084	0526.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240571484	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe
File created	C:\Windows\SysWOW64\0526.exe	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe
File opened for modification	C:\Windows\SysWOW64\0526.exe	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4980	3084	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3084	1048	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe	80
PID 1048 wrote to memory of 3084	1048	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe	80
PID 1048 wrote to memory of 3084	1048	431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe	80

C:\Users\Admin\AppData\Local\Temp\431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe
"C:\Users\Admin\AppData\Local\Temp\431137fad004fff56e9714fbe59f61f6ed0706f08198d8a759c478800d942aa0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\0526.exe
  "C:\Windows\system32\0526.exe"
  2⤵
  - Executes dropped EXE
  PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 216
    3⤵
    - Program crash
    PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3084 -ip 3084
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\0526.exe

Filesize
692KB

MD5
aabf740eb9553a5b1731e734dd159d47

SHA1
c2afca0c12a74ce1f04033495289ecf37e5ca7f1

SHA256
f6b7a0518363b630cacf1ce038467722110ab13b3a43f438ecfa188b7e9ace00

SHA512
747c1780c8310c260995207f259250bb7cd30abcf11dfff6e5e46304156c08df06050a4ce898b4ac269e303719b5812dabdf8e693d9f11367c482300edfb33b9

Download Submit
C:\Windows\SysWOW64\0526.exe

Filesize
692KB

MD5
aabf740eb9553a5b1731e734dd159d47

SHA1
c2afca0c12a74ce1f04033495289ecf37e5ca7f1

SHA256
f6b7a0518363b630cacf1ce038467722110ab13b3a43f438ecfa188b7e9ace00

SHA512
747c1780c8310c260995207f259250bb7cd30abcf11dfff6e5e46304156c08df06050a4ce898b4ac269e303719b5812dabdf8e693d9f11367c482300edfb33b9

Download Submit
memory/3084-135-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download