modiloader | 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082

Analysis

max time kernel
95s
max time network
115s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
Size

854KB
MD5

365cf5f5d7fc1f822927b507fb54e57a
SHA1

7d1ea87fb46709700d89a70a7fd668fb1ece7e16
SHA256

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082
SHA512

65eed9c257993dc3a52a29b2a7d64122b32d5494e75da9f382788e3e2e06009d7285280ddcb5b62f920286776018a2b5b4051cde3d4e5e69f2111c3869b92545
SSDEEP

12288:zZ927jdTn4YRkAvIHenu/JdgQbug0lyxa66kXUqTfTB2O4rwSMpxA6Fs2Cz1dqX:zZU7VxRkwPusKqbpq7oOqLMfF8q

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1DZ_JyNSO-_rsy0GYLNeY10ZhLJ-wnrou

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1360-55-0x0000000001F10000-0x0000000001F3C000-memory.dmp	modiloader_stage2

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1536 1360 WerFault.exe 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1460 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1460 powershell.exe

pid	pid_target	process	target process
1536	1360	WerFault.exe	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe

pid	process
1460	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1460	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.execmd.exe

description	pid	process	target process
PID 1360 wrote to memory of 1376	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 1360 wrote to memory of 1376	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 1360 wrote to memory of 1376	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 1360 wrote to memory of 1376	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 1376 wrote to memory of 1460	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 1460	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 1460	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 1460	1376	cmd.exe	powershell.exe
PID 1360 wrote to memory of 1536	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe
PID 1360 wrote to memory of 1536	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe
PID 1360 wrote to memory of 1536	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe
PID 1360 wrote to memory of 1536	1360	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
"C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 600
2⤵
- Program crash
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat
Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1
Filesize
213B

MD5
3f883d3644bf68282106384d5a1b91d5

SHA1
b0b5719a1bbabdfbaa492dac0008c969f3f70f00

SHA256
ed0c1ca841c2a764a5ea2556277f63297ebe1940eb598f4e2fce7d2feec30dbb

SHA512
109b806b986bd92abf7f692a3da0ffed07c14c00d8c78728646b0ce9ecaa4baa0457210ffa547e7644e38d5798c91107226a61e73d330637291489947bdbdbe9

Download Submit
memory/1360-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x0000000001F10000-0x0000000001F3C000-memory.dmp

Filesize
176KB

Download
memory/1376-57-0x0000000000000000-mapping.dmp

Download
memory/1460-59-0x0000000000000000-mapping.dmp

Download
memory/1460-61-0x0000000073500000-0x0000000073AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1460-63-0x0000000073500000-0x0000000073AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1460-64-0x0000000073500000-0x0000000073AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-65-0x0000000000000000-mapping.dmp

Download