modiloader | cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 17:41

Target

cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
Size

192KB
MD5

2166e25a47e8a857d11aea01ed76165c
SHA1

059d286c7abcc67770f9193216c4824820515ecb
SHA256

cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c
SHA512

3865355cd565e09ef5a24fa16f7779e6b72e7ecd707e4762ac1538866999ab9f7cbb2c438c30c0884297dc08e4217d46da472aa2c5458512d006a9b4aa5151ae
SSDEEP

3072:cLCnfuc1nOOS2oKISOm7cn+egnbexRewFqj6YljhajIrD:cOnO6Os7cn+PqXe1ljkjW

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmp	modiloader_stage2
behavioral1/memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmp	modiloader_stage2

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmp	upx
behavioral1/memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmp	upx
behavioral1/memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmp	upx

Suspicious behavior: RenamesItself 2 IoCs

Processes:

cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exeapocalyps32.exe

pid process

2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
1148 apocalyps32.exe

pid	process
2012	cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
1148	apocalyps32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exeapocalyps32.exe

description	pid	process	target process
PID 2012 wrote to memory of 1148	2012	cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe	apocalyps32.exe
PID 2012 wrote to memory of 1148	2012	cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe	apocalyps32.exe
PID 2012 wrote to memory of 1148	2012	cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe	apocalyps32.exe
PID 2012 wrote to memory of 1148	2012	cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe	apocalyps32.exe
PID 1148 wrote to memory of 2000	1148	apocalyps32.exe	iexplore.exe
PID 1148 wrote to memory of 2000	1148	apocalyps32.exe	iexplore.exe
PID 1148 wrote to memory of 2000	1148	apocalyps32.exe	iexplore.exe
PID 1148 wrote to memory of 2000	1148	apocalyps32.exe	iexplore.exe

memory/1148-56-0x0000000000000000-mapping.dmp

Download
memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmp

Filesize
196KB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmp

Filesize
196KB

Download
memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmp

Filesize
196KB

Download