modiloader | ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

Analysis

max time kernel
152s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
Size

279KB
MD5

cf2c7e0747c70b8f273d7fb93beda952
SHA1

72d38ab7e7ba4fc8e43444a370a571843aea3a13
SHA256

ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952
SHA512

7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41
SSDEEP

6144:dwRfjZtcx5/F6vcvpMq6FHhGGA/wyCXFdhA4X0K8/YYzL8P:u8b+q6usFjA4I/YYzL8P

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/1528-132-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral2/memory/1528-133-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral2/memory/3412-138-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral2/memory/1528-139-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral2/memory/3412-140-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2
behavioral2/memory/1528-142-0x0000000000400000-0x000000000050B000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3412	conime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_conime.exe	conime.exe
File opened for modification	C:\Windows\SysWOW64\_conime.exe	conime.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3412 set thread context of 2428	3412	conime.exe	94

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3412	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	81
PID 1528 wrote to memory of 3412	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	81
PID 1528 wrote to memory of 3412	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	81
PID 1528 wrote to memory of 3852	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	84
PID 1528 wrote to memory of 3852	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	84
PID 1528 wrote to memory of 3852	1528	ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe	84
PID 3412 wrote to memory of 4324	3412	conime.exe	88
PID 3412 wrote to memory of 4324	3412	conime.exe	88
PID 3412 wrote to memory of 4324	3412	conime.exe	88
PID 3412 wrote to memory of 4724	3412	conime.exe	89
PID 3412 wrote to memory of 4724	3412	conime.exe	89
PID 3412 wrote to memory of 4724	3412	conime.exe	89
PID 3412 wrote to memory of 3688	3412	conime.exe	91
PID 3412 wrote to memory of 3688	3412	conime.exe	91
PID 3412 wrote to memory of 3688	3412	conime.exe	91
PID 3412 wrote to memory of 4320	3412	conime.exe	93
PID 3412 wrote to memory of 4320	3412	conime.exe	93
PID 3412 wrote to memory of 4320	3412	conime.exe	93
PID 3412 wrote to memory of 2428	3412	conime.exe	94
PID 3412 wrote to memory of 2428	3412	conime.exe	94
PID 3412 wrote to memory of 2428	3412	conime.exe	94
PID 3412 wrote to memory of 2428	3412	conime.exe	94
PID 3412 wrote to memory of 2428	3412	conime.exe	94
PID 3412 wrote to memory of 3120	3412	conime.exe	97
PID 3412 wrote to memory of 3120	3412	conime.exe	97
PID 3412 wrote to memory of 3120	3412	conime.exe	97
PID 3412 wrote to memory of 3120	3412	conime.exe	97
PID 3412 wrote to memory of 3120	3412	conime.exe	97
PID 3412 wrote to memory of 3496	3412	conime.exe	100
PID 3412 wrote to memory of 3496	3412	conime.exe	100
PID 3412 wrote to memory of 3496	3412	conime.exe	100
PID 3412 wrote to memory of 3496	3412	conime.exe	100
PID 3412 wrote to memory of 3496	3412	conime.exe	100
PID 3412 wrote to memory of 4616	3412	conime.exe	102
PID 3412 wrote to memory of 4616	3412	conime.exe	102
PID 3412 wrote to memory of 4616	3412	conime.exe	102

C:\Users\Admin\AppData\Local\Temp\ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe
"C:\Users\Admin\AppData\Local\Temp\ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2428 -ip 2428
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3120 -ip 3120
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3496 -ip 3496
1⤵
PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

Filesize
248B

MD5
9751ca6933103d01ecea47447059096d

SHA1
c43d96b2df743ca126b63f4f5f80f6d9be3b7785

SHA256
816460c397341e44ab892226456d5c5c0cee02e24da77fb379ed857e310a7d8b

SHA512
c678b79ef933aff4665081ac55190d81c780fec51f32fad217e1efe2af2a02c51be5acf2927e5caa5b29ac3bf344ff8944d4cb95535f75505ad0aa770204fb99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\conime.exe

Filesize
279KB

MD5
cf2c7e0747c70b8f273d7fb93beda952

SHA1
72d38ab7e7ba4fc8e43444a370a571843aea3a13

SHA256
ba622a518b7dcbfa1f9bd1aa2026eea584d5fec13dc5091be8d409028f7e0952

SHA512
7031a8025dc76fcb6cccec013f9c92128c558c15d0861693a28677ba761612e25537ce1992a80b5caa3b7661a7a07edb235d2f8827aeb83d89128c731643cf41

Download Submit
memory/1528-142-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1528-133-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1528-132-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1528-139-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2428-149-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3412-140-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3412-138-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download