modiloader | ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
Size

279KB
MD5

cf2c7e0747c70b8f273d7fb93beda952
SHA1

72d38ab7e7ba4fc8e43444a370a571843aea3a13
SHA256

ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952
SHA512

7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41
SSDEEP

6144:dwRfjZtcx5/F6vcvpMq6FHhGGA/wyCXFdhA4X0K8/YYzL8P:u8b+q6usFjA4I/YYzL8P

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2008-55-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/2008-56-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/2008-57-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/2008-66-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/1040-67-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral1/memory/1040-72-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1040	conime.exe

Deletes itself 1 IoCs

pid	Process
752	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_conime.exe	conime.exe
File opened for modification	C:\Windows\SysWOW64\_conime.exe	conime.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 1856	1040	conime.exe	36

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1040	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	28
PID 2008 wrote to memory of 1040	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	28
PID 2008 wrote to memory of 1040	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	28
PID 2008 wrote to memory of 1040	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	28
PID 2008 wrote to memory of 752	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	29
PID 2008 wrote to memory of 752	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	29
PID 2008 wrote to memory of 752	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	29
PID 2008 wrote to memory of 752	2008	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	29
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1500	1040	conime.exe	31
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 1844	1040	conime.exe	32
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 316	1040	conime.exe	35
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1856	1040	conime.exe	36
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1316	1040	conime.exe	37
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1564	1040	conime.exe	38
PID 1040 wrote to memory of 1704	1040	conime.exe	39
PID 1040 wrote to memory of 1704	1040	conime.exe	39
PID 1040 wrote to memory of 1704	1040	conime.exe	39
PID 1040 wrote to memory of 1704	1040	conime.exe	39
PID 1040 wrote to memory of 1704	1040	conime.exe	39
PID 1040 wrote to memory of 1704	1040	conime.exe	39

C:\Users\Admin\AppData\Local\Temp\ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
"C:\Users\Admin\AppData\Local\Temp\ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - Deletes itself
  PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

Filesize
248B

MD5
9751ca6933103d01ecea47447059096d

SHA1
c43d96b2df743ca126b63f4f5f80f6d9be3b7785

SHA256
816460c397341e44ab892226456d5c5c0cee02e24da77fb379ed857e310a7d8b

SHA512
c678b79ef933aff4665081ac55190d81c780fec51f32fad217e1efe2af2a02c51be5acf2927e5caa5b29ac3bf344ff8944d4cb95535f75505ad0aa770204fb99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
memory/1040-72-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1040-67-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1500-69-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1856-81-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2008-56-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2008-66-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2008-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2008-57-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download