modiloader | 876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce

Analysis

max time kernel
124s
max time network
63s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe
Size

375KB
MD5

7a8b3bdfbe2bb3201f9e149ec7822dd0
SHA1

ccdf7abc55f9765212c199e2325d1486c9cde1ec
SHA256

876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce
SHA512

8458681e344b893c55519dc38c434904e90c34b0cf590e9db102503bdf096dee0438e050d3e5288aa5b4238178951672889de5bdf64bcd4e8b90cb41f5231648
SSDEEP

6144:m4amIhuZn1rnw5xyPRV+6PdsjVwuJvUkZ9hboCOaJCoafCWiYXmJlt1kc/ql:Lnw5xy5VOvnfQ2d1kz

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\sys.dll	modiloader_stage2
\Windows\SysWOW64\sys.dll	modiloader_stage2
behavioral1/memory/1984-56-0x0000000000210000-0x0000000000268000-memory.dmp	modiloader_stage2

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netctrl\Parameters\ServiceDll = "C:\\Windows\\system32\\sys.dll"	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

884 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1984 svchost.exe

pid	process
884	cmd.exe

pid	process
1984	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sys.dll	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe
File opened for modification	C:\Windows\SysWOW64\sys.dll	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe

description	pid	process	target process
PID 1420 wrote to memory of 884	1420	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe	cmd.exe
PID 1420 wrote to memory of 884	1420	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe	cmd.exe
PID 1420 wrote to memory of 884	1420	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe	cmd.exe
PID 1420 wrote to memory of 884	1420	876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe
"C:\Users\Admin\AppData\Local\Temp\876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\876dcce6707c545b8ddd4ff040139427dfac919389743eb6fc5a8ceb5436e8ce.exe"
2⤵
- Deletes itself
PID:884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k remoteservice
1⤵
- Loads dropped DLL
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\sys.dll
Filesize
323KB

MD5
6a991a6856bf0654759cdb8986c08750

SHA1
4399e31003d8f4e02eb00fc06cb21827a26e5185

SHA256
3c1ad8329856c79162f7dc9ec2f5692593a488e98583c0676797442525275da8

SHA512
45f1fe4ceb4cc88740bbba1ecc826cf2e8ad2f8eb2eac60d62d1eaa8025983568dd1cac2640dcd884a219b957a220838c5d60c87c657ed11984a8264dae7860b

Download Submit
\Windows\SysWOW64\sys.dll
Filesize
323KB

MD5
6a991a6856bf0654759cdb8986c08750

SHA1
4399e31003d8f4e02eb00fc06cb21827a26e5185

SHA256
3c1ad8329856c79162f7dc9ec2f5692593a488e98583c0676797442525275da8

SHA512
45f1fe4ceb4cc88740bbba1ecc826cf2e8ad2f8eb2eac60d62d1eaa8025983568dd1cac2640dcd884a219b957a220838c5d60c87c657ed11984a8264dae7860b

Download Submit
memory/884-58-0x0000000000000000-mapping.dmp

Download
memory/1984-56-0x0000000000210000-0x0000000000268000-memory.dmp

Filesize
352KB

Download
memory/1984-57-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download