modiloader | 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082

General

Target

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
Size

854KB
MD5

365cf5f5d7fc1f822927b507fb54e57a
SHA1

7d1ea87fb46709700d89a70a7fd668fb1ece7e16
SHA256

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082
SHA512

65eed9c257993dc3a52a29b2a7d64122b32d5494e75da9f382788e3e2e06009d7285280ddcb5b62f920286776018a2b5b4051cde3d4e5e69f2111c3869b92545
SSDEEP

12288:zZ927jdTn4YRkAvIHenu/JdgQbug0lyxa66kXUqTfTB2O4rwSMpxA6Fs2Cz1dqX:zZU7VxRkwPusKqbpq7oOqLMfF8q

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1DZ_JyNSO-_rsy0GYLNeY10ZhLJ-wnrou

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2096-133-0x00000000028C0000-0x00000000028EC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

92 4756 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
92	4756	powershell.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
428	2096	WerFault.exe	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
3280	2096	WerFault.exe	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4756 powershell.exe
4756 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4756 powershell.exe

pid	process
4756	powershell.exe
4756	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4756	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.execmd.exe

description	pid	process	target process
PID 2096 wrote to memory of 744	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 2096 wrote to memory of 744	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 2096 wrote to memory of 744	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	cmd.exe
PID 744 wrote to memory of 4756	744	cmd.exe	powershell.exe
PID 744 wrote to memory of 4756	744	cmd.exe	powershell.exe
PID 744 wrote to memory of 4756	744	cmd.exe	powershell.exe
PID 2096 wrote to memory of 428	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe
PID 2096 wrote to memory of 428	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe
PID 2096 wrote to memory of 428	2096	0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
"C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 840
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 840
2⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2096 -ip 2096
1⤵
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat
Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1
Filesize
213B

MD5
3f883d3644bf68282106384d5a1b91d5

SHA1
b0b5719a1bbabdfbaa492dac0008c969f3f70f00

SHA256
ed0c1ca841c2a764a5ea2556277f63297ebe1940eb598f4e2fce7d2feec30dbb

SHA512
109b806b986bd92abf7f692a3da0ffed07c14c00d8c78728646b0ce9ecaa4baa0457210ffa547e7644e38d5798c91107226a61e73d330637291489947bdbdbe9

Download Submit
memory/428-147-0x0000000000000000-mapping.dmp

Download
memory/744-135-0x0000000000000000-mapping.dmp

Download
memory/2096-133-0x00000000028C0000-0x00000000028EC000-memory.dmp

Filesize
176KB

Download
memory/4756-140-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/4756-139-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/4756-141-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/4756-142-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4756-143-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/4756-138-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/4756-145-0x00000000078E0000-0x0000000007F5A000-memory.dmp

Filesize
6.5MB

Download
memory/4756-146-0x0000000005410000-0x000000000542A000-memory.dmp

Filesize
104KB

Download
memory/4756-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads