modiloader | 9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6

Analysis

max time kernel
32s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe
Size

1.1MB
MD5

b7fc6806a4f44f2331b580b3a9645737
SHA1

cde95457dc08da993bdaa2b8e0f16b17bf6bf674
SHA256

9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6
SHA512

a4714161a967b34cb19856e2e2f2bab35aeb3c8a127808b54da8317806f90ee73dbf5550b45bac73944ce7568ad477e805db3094c5e2317caae278f6eb7d440e
SSDEEP

24576:XsSBiTXqPTeQk3H7SD9jFBeb6QVYsyY2q7WokggYWTve2Tp:dgTXk/KbYFMruqKAgJreg

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-2367-0x0000000000010000-0x0000000000120000-memory.dmp	modiloader_stage2

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe

pid	process
1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe
1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe
1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe

pid process

1728 9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe

description	pid	process	target process
PID 1728 wrote to memory of 1340	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 1340	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 1340	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 1340	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 2012	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	apocalyps32.exe
PID 1728 wrote to memory of 2012	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	apocalyps32.exe
PID 1728 wrote to memory of 2012	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	apocalyps32.exe
PID 1728 wrote to memory of 2012	1728	9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe	apocalyps32.exe

C:\Users\Admin\AppData\Local\Temp\9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe
"C:\Users\Admin\AppData\Local\Temp\9285cc65aedea7e0666a512218961e23a463989e84d2cf2617ebcdee2e6c60b6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\»õ ÅØ½ºÆ® ¹®¼.txt
2⤵
PID:1340

C:\Windows\apocalyps32.exe
-bs
2⤵
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\»õ ÅØ½ºÆ® ¹®¼.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1340-2364-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1728-55-0x0000000001DE0000-0x0000000001F61000-memory.dmp

Filesize
1.5MB

Download
memory/1728-58-0x0000000075F10000-0x0000000075F57000-memory.dmp

Filesize
284KB

Download
memory/1728-57-0x00000000004CB000-0x0000000000513000-memory.dmp

Filesize
288KB

Download
memory/1728-60-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-59-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-62-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-61-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-63-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-65-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-64-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-66-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-67-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-68-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-69-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-71-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-70-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-72-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-74-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-73-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-78-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-77-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-76-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-75-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-80-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-79-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-81-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-82-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-83-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-84-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-86-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-85-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-89-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1728-88-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-87-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-91-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1728-90-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-92-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-94-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-93-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-96-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-97-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-110-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-109-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-108-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-107-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-106-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-105-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-104-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-103-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-102-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-101-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-99-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-100-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-98-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-95-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-112-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-111-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-114-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-113-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-116-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-115-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-117-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-118-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-120-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-119-0x0000000000489000-0x00000000004CD000-memory.dmp

Filesize
272KB

Download
memory/1728-920-0x0000000001DE0000-0x0000000001F61000-memory.dmp

Filesize
1.5MB

Download
memory/1728-2367-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1728-2369-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1728-2371-0x00000000004A1000-0x00000000004BE000-memory.dmp

Filesize
116KB

Download
memory/1728-2376-0x0000000001F70000-0x0000000002071000-memory.dmp

Filesize
1.0MB

Download
memory/1728-2374-0x00000000004CB000-0x0000000000513000-memory.dmp

Filesize
288KB

Download
memory/1728-2378-0x0000000000600000-0x00000000006A1000-memory.dmp

Filesize
644KB

Download
memory/2012-2365-0x0000000000000000-mapping.dmp

Download
memory/2012-2380-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2012-2382-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/2012-2385-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads