modiloader | 2bc460da83eba817ca2bb83cb36643cff8023c36349162dd48eb775b1c1d0235

Analysis

max time kernel
131s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arch-sketch-002993.dwg.pif.exe
Size

742KB
MD5

782b22a3f6dc0aff93112e31398dd4ef
SHA1

713d1002835091e21bc76a5a70ba7afa2e4d727a
SHA256

2bc460da83eba817ca2bb83cb36643cff8023c36349162dd48eb775b1c1d0235
SHA512

ab6c1cdc82ca705338e3f1fe7c4c8b548e06b0262bd28b07850e27e5c6bb6cd24a17a319d3ce649a94b76c1ea37b0c0d6d9e659dc5fbd72fb151ed8d815f6993
SSDEEP

12288:khrRcQ1GIjHQK1dbre1I8wtBzvoRcbM3VBcO9zZtXF5kVn27jvTyUiats:kNGIjHX1re1I8YMRcb+VBcO9zzV5S2/a

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/1896-55-0x00000000002A0000-0x00000000002CC000-memory.dmp	modiloader_stage2
behavioral1/memory/1976-59-0x0000000000290000-0x00000000002BC000-memory.dmp	modiloader_stage2
behavioral1/memory/856-63-0x0000000000280000-0x00000000002AC000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-67-0x00000000003A0000-0x00000000003CC000-memory.dmp	modiloader_stage2
behavioral1/memory/660-71-0x00000000002D0000-0x00000000002FC000-memory.dmp	modiloader_stage2
behavioral1/memory/2044-75-0x0000000000340000-0x000000000036C000-memory.dmp	modiloader_stage2
behavioral1/memory/1732-79-0x0000000001D50000-0x0000000001D7C000-memory.dmp	modiloader_stage2
behavioral1/memory/992-87-0x00000000004D0000-0x00000000004FC000-memory.dmp	modiloader_stage2

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1896	arch-sketch-002993.dwg.pif.exe
1976	arch-sketch-002993.dwg.pif.exe
856	arch-sketch-002993.dwg.pif.exe
1968	arch-sketch-002993.dwg.pif.exe
660	arch-sketch-002993.dwg.pif.exe
2044	arch-sketch-002993.dwg.pif.exe
1732	arch-sketch-002993.dwg.pif.exe
896	arch-sketch-002993.dwg.pif.exe
992	arch-sketch-002993.dwg.pif.exe
1540	arch-sketch-002993.dwg.pif.exe
1124	arch-sketch-002993.dwg.pif.exe
792	arch-sketch-002993.dwg.pif.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1976	1896	arch-sketch-002993.dwg.pif.exe	28
PID 1896 wrote to memory of 1976	1896	arch-sketch-002993.dwg.pif.exe	28
PID 1896 wrote to memory of 1976	1896	arch-sketch-002993.dwg.pif.exe	28
PID 1896 wrote to memory of 1976	1896	arch-sketch-002993.dwg.pif.exe	28
PID 1976 wrote to memory of 856	1976	arch-sketch-002993.dwg.pif.exe	29
PID 1976 wrote to memory of 856	1976	arch-sketch-002993.dwg.pif.exe	29
PID 1976 wrote to memory of 856	1976	arch-sketch-002993.dwg.pif.exe	29
PID 1976 wrote to memory of 856	1976	arch-sketch-002993.dwg.pif.exe	29
PID 856 wrote to memory of 1968	856	arch-sketch-002993.dwg.pif.exe	30
PID 856 wrote to memory of 1968	856	arch-sketch-002993.dwg.pif.exe	30
PID 856 wrote to memory of 1968	856	arch-sketch-002993.dwg.pif.exe	30
PID 856 wrote to memory of 1968	856	arch-sketch-002993.dwg.pif.exe	30
PID 1968 wrote to memory of 660	1968	arch-sketch-002993.dwg.pif.exe	31
PID 1968 wrote to memory of 660	1968	arch-sketch-002993.dwg.pif.exe	31
PID 1968 wrote to memory of 660	1968	arch-sketch-002993.dwg.pif.exe	31
PID 1968 wrote to memory of 660	1968	arch-sketch-002993.dwg.pif.exe	31
PID 660 wrote to memory of 2044	660	arch-sketch-002993.dwg.pif.exe	32
PID 660 wrote to memory of 2044	660	arch-sketch-002993.dwg.pif.exe	32
PID 660 wrote to memory of 2044	660	arch-sketch-002993.dwg.pif.exe	32
PID 660 wrote to memory of 2044	660	arch-sketch-002993.dwg.pif.exe	32
PID 2044 wrote to memory of 1732	2044	arch-sketch-002993.dwg.pif.exe	33
PID 2044 wrote to memory of 1732	2044	arch-sketch-002993.dwg.pif.exe	33
PID 2044 wrote to memory of 1732	2044	arch-sketch-002993.dwg.pif.exe	33
PID 2044 wrote to memory of 1732	2044	arch-sketch-002993.dwg.pif.exe	33
PID 1732 wrote to memory of 896	1732	arch-sketch-002993.dwg.pif.exe	34
PID 1732 wrote to memory of 896	1732	arch-sketch-002993.dwg.pif.exe	34
PID 1732 wrote to memory of 896	1732	arch-sketch-002993.dwg.pif.exe	34
PID 1732 wrote to memory of 896	1732	arch-sketch-002993.dwg.pif.exe	34
PID 896 wrote to memory of 992	896	arch-sketch-002993.dwg.pif.exe	35
PID 896 wrote to memory of 992	896	arch-sketch-002993.dwg.pif.exe	35
PID 896 wrote to memory of 992	896	arch-sketch-002993.dwg.pif.exe	35
PID 896 wrote to memory of 992	896	arch-sketch-002993.dwg.pif.exe	35
PID 992 wrote to memory of 1540	992	arch-sketch-002993.dwg.pif.exe	36
PID 992 wrote to memory of 1540	992	arch-sketch-002993.dwg.pif.exe	36
PID 992 wrote to memory of 1540	992	arch-sketch-002993.dwg.pif.exe	36
PID 992 wrote to memory of 1540	992	arch-sketch-002993.dwg.pif.exe	36
PID 1540 wrote to memory of 1124	1540	arch-sketch-002993.dwg.pif.exe	37
PID 1540 wrote to memory of 1124	1540	arch-sketch-002993.dwg.pif.exe	37
PID 1540 wrote to memory of 1124	1540	arch-sketch-002993.dwg.pif.exe	37
PID 1540 wrote to memory of 1124	1540	arch-sketch-002993.dwg.pif.exe	37
PID 1124 wrote to memory of 792	1124	arch-sketch-002993.dwg.pif.exe	38
PID 1124 wrote to memory of 792	1124	arch-sketch-002993.dwg.pif.exe	38
PID 1124 wrote to memory of 792	1124	arch-sketch-002993.dwg.pif.exe	38
PID 1124 wrote to memory of 792	1124	arch-sketch-002993.dwg.pif.exe	38
PID 792 wrote to memory of 872	792	arch-sketch-002993.dwg.pif.exe	39
PID 792 wrote to memory of 872	792	arch-sketch-002993.dwg.pif.exe	39
PID 792 wrote to memory of 872	792	arch-sketch-002993.dwg.pif.exe	39
PID 792 wrote to memory of 872	792	arch-sketch-002993.dwg.pif.exe	39

C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
"C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
  C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
    C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
      C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        
        C:\Users\Admin\AppData\Local\Temp\arch-sketch-002993.dwg.pif.exe
        13⤵
        
        PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-71-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/856-63-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/992-87-0x00000000004D0000-0x00000000004FC000-memory.dmp

Filesize
176KB

Download
memory/1732-79-0x0000000001D50000-0x0000000001D7C000-memory.dmp

Filesize
176KB

Download
memory/1896-55-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1968-67-0x00000000003A0000-0x00000000003CC000-memory.dmp

Filesize
176KB

Download
memory/1976-59-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2044-75-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download