modiloader | e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053

Analysis

max time kernel
18s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll
Size

497KB
MD5

db5801aeaa4b02c6d0af8417eba08361
SHA1

00e6ee5b04f534523806d11a5f1480e1e6252fd2
SHA256

e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053
SHA512

bd43706e9313cd8f1967449b0fe16c5814cc1c188934038f90559c6656c2e357467e705aa06f2a23166894683a036ee44f08e3c6caf2edb21e89f1ff689f8d01
SSDEEP

12288:qnd75fG1khOCeHJ/DG74W/ndL29IA1FBg2dd/DjvU:qnF1UkhOCeHxS0W/ndLaIqFBgsd7bU

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/852-56-0x0000000001F40000-0x00000000020BD000-memory.dmp	modiloader_stage2
behavioral1/memory/852-57-0x0000000001F40000-0x00000000020BD000-memory.dmp	modiloader_stage2
behavioral1/memory/852-59-0x0000000001F40000-0x00000000020BD000-memory.dmp	modiloader_stage2

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 852	1628	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll,#1
2⤵
PID:852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-54-0x0000000000000000-mapping.dmp

Download
memory/852-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/852-56-0x0000000001F40000-0x00000000020BD000-memory.dmp

Filesize
1.5MB

Download
memory/852-57-0x0000000001F40000-0x00000000020BD000-memory.dmp

Filesize
1.5MB

Download
memory/852-58-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/852-59-0x0000000001F40000-0x00000000020BD000-memory.dmp

Filesize
1.5MB

Download