modiloader | adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466

Analysis

max time kernel
132s
max time network
137s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:13

Target

adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe
Size

681KB
MD5

45debca670c252573f1e9371b81356b3
SHA1

9611fc33f94afa7ca711c44128ba0dea3d119b18
SHA256

adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466
SHA512

3baf3f71d2166de2289117d440159fa85b0754dd986c86522554a8fc6040a105b49f93ee8011773a2eb16445fe2336288102b5ea27c0382b077da440ab66cfc9
SSDEEP

12288:HbAh7WxXBmKaC5wa1ASQiLWqFzgyikeNAtKwpj/86TO7:EVWxaC5wa1tqqdXE+86Tq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	modiloader_stage2
behavioral1/files/0x000500000000b2d2-57.dat	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
844	scvhost.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 844	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	27
PID 1060 wrote to memory of 844	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	27
PID 1060 wrote to memory of 844	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	27
PID 1060 wrote to memory of 844	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	27
PID 1060 wrote to memory of 2036	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	28
PID 1060 wrote to memory of 2036	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	28
PID 1060 wrote to memory of 2036	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	28
PID 1060 wrote to memory of 2036	1060	adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe	28

C:\Users\Admin\AppData\Local\Temp\adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe
"C:\Users\Admin\AppData\Local\Temp\adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1060
- C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe
  C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466.exe"
  2⤵
  - Deletes itself
  PID:2036

C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe

Filesize
681KB

MD5
45debca670c252573f1e9371b81356b3

SHA1
9611fc33f94afa7ca711c44128ba0dea3d119b18

SHA256
adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466

SHA512
3baf3f71d2166de2289117d440159fa85b0754dd986c86522554a8fc6040a105b49f93ee8011773a2eb16445fe2336288102b5ea27c0382b077da440ab66cfc9

Download Submit
\PROGRA~1\COMMON~1\MICROS~1\MSInfo\scvhost.exe

Filesize
681KB

MD5
45debca670c252573f1e9371b81356b3

SHA1
9611fc33f94afa7ca711c44128ba0dea3d119b18

SHA256
adc28c9c758815411ab2f646c21049646185a22db6acd278df0e36da55469466

SHA512
3baf3f71d2166de2289117d440159fa85b0754dd986c86522554a8fc6040a105b49f93ee8011773a2eb16445fe2336288102b5ea27c0382b077da440ab66cfc9

Download Submit
memory/1060-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download