modiloader | 3ae59bff704751af19ea535dd681e1549cceaafcd053f41d64c982235c8e4148

Analysis

max time kernel
129s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BOQ-523-2022 R01.pdf.exe
Size

723KB
MD5

7bfb43461dc7e45a2d2019202453f437
SHA1

24092359be8e8957d45a5f912e8011ec2310c657
SHA256

3ae59bff704751af19ea535dd681e1549cceaafcd053f41d64c982235c8e4148
SHA512

85ce8e41ffa0aa3c4db5602fe0ff8eceaae23fcc0b836f2ca25bc1ae8d497f91bc1c05d6abdcca90724f1aa286a9f42b090747f7818ff56c9e1b6a006d7a5e06
SSDEEP

12288:NhrRcQ1GIjHQK1dbre1I8wtBzvoRcbM3VBcO9zJkF5kVn27jvTyUiats:jNGIjHX1re1I8YMRcb+VBcO9zu5S2/vS

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/1244-55-0x00000000004C0000-0x00000000004EC000-memory.dmp	modiloader_stage2
behavioral1/memory/484-59-0x00000000002A0000-0x00000000002CC000-memory.dmp	modiloader_stage2
behavioral1/memory/660-63-0x0000000000280000-0x00000000002AC000-memory.dmp	modiloader_stage2
behavioral1/memory/796-71-0x00000000003B0000-0x00000000003DC000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-75-0x0000000000290000-0x00000000002BC000-memory.dmp	modiloader_stage2
behavioral1/memory/436-79-0x0000000000390000-0x00000000003BC000-memory.dmp	modiloader_stage2
behavioral1/memory/852-83-0x00000000002E0000-0x000000000030C000-memory.dmp	modiloader_stage2
behavioral1/memory/1636-91-0x0000000000330000-0x000000000035C000-memory.dmp	modiloader_stage2
behavioral1/memory/1964-95-0x0000000000350000-0x000000000037C000-memory.dmp	modiloader_stage2
behavioral1/memory/1524-99-0x00000000002B0000-0x00000000002DC000-memory.dmp	modiloader_stage2

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1244	BOQ-523-2022 R01.pdf.exe
484	BOQ-523-2022 R01.pdf.exe
660	BOQ-523-2022 R01.pdf.exe
1800	BOQ-523-2022 R01.pdf.exe
796	BOQ-523-2022 R01.pdf.exe
1548	BOQ-523-2022 R01.pdf.exe
436	BOQ-523-2022 R01.pdf.exe
852	BOQ-523-2022 R01.pdf.exe
1788	BOQ-523-2022 R01.pdf.exe
1636	BOQ-523-2022 R01.pdf.exe
1964	BOQ-523-2022 R01.pdf.exe
1524	BOQ-523-2022 R01.pdf.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 484	1244	BOQ-523-2022 R01.pdf.exe	28
PID 1244 wrote to memory of 484	1244	BOQ-523-2022 R01.pdf.exe	28
PID 1244 wrote to memory of 484	1244	BOQ-523-2022 R01.pdf.exe	28
PID 1244 wrote to memory of 484	1244	BOQ-523-2022 R01.pdf.exe	28
PID 484 wrote to memory of 660	484	BOQ-523-2022 R01.pdf.exe	29
PID 484 wrote to memory of 660	484	BOQ-523-2022 R01.pdf.exe	29
PID 484 wrote to memory of 660	484	BOQ-523-2022 R01.pdf.exe	29
PID 484 wrote to memory of 660	484	BOQ-523-2022 R01.pdf.exe	29
PID 660 wrote to memory of 1800	660	BOQ-523-2022 R01.pdf.exe	30
PID 660 wrote to memory of 1800	660	BOQ-523-2022 R01.pdf.exe	30
PID 660 wrote to memory of 1800	660	BOQ-523-2022 R01.pdf.exe	30
PID 660 wrote to memory of 1800	660	BOQ-523-2022 R01.pdf.exe	30
PID 1800 wrote to memory of 796	1800	BOQ-523-2022 R01.pdf.exe	31
PID 1800 wrote to memory of 796	1800	BOQ-523-2022 R01.pdf.exe	31
PID 1800 wrote to memory of 796	1800	BOQ-523-2022 R01.pdf.exe	31
PID 1800 wrote to memory of 796	1800	BOQ-523-2022 R01.pdf.exe	31
PID 796 wrote to memory of 1548	796	BOQ-523-2022 R01.pdf.exe	32
PID 796 wrote to memory of 1548	796	BOQ-523-2022 R01.pdf.exe	32
PID 796 wrote to memory of 1548	796	BOQ-523-2022 R01.pdf.exe	32
PID 796 wrote to memory of 1548	796	BOQ-523-2022 R01.pdf.exe	32
PID 1548 wrote to memory of 436	1548	BOQ-523-2022 R01.pdf.exe	33
PID 1548 wrote to memory of 436	1548	BOQ-523-2022 R01.pdf.exe	33
PID 1548 wrote to memory of 436	1548	BOQ-523-2022 R01.pdf.exe	33
PID 1548 wrote to memory of 436	1548	BOQ-523-2022 R01.pdf.exe	33
PID 436 wrote to memory of 852	436	BOQ-523-2022 R01.pdf.exe	34
PID 436 wrote to memory of 852	436	BOQ-523-2022 R01.pdf.exe	34
PID 436 wrote to memory of 852	436	BOQ-523-2022 R01.pdf.exe	34
PID 436 wrote to memory of 852	436	BOQ-523-2022 R01.pdf.exe	34
PID 852 wrote to memory of 1788	852	BOQ-523-2022 R01.pdf.exe	35
PID 852 wrote to memory of 1788	852	BOQ-523-2022 R01.pdf.exe	35
PID 852 wrote to memory of 1788	852	BOQ-523-2022 R01.pdf.exe	35
PID 852 wrote to memory of 1788	852	BOQ-523-2022 R01.pdf.exe	35
PID 1788 wrote to memory of 1636	1788	BOQ-523-2022 R01.pdf.exe	36
PID 1788 wrote to memory of 1636	1788	BOQ-523-2022 R01.pdf.exe	36
PID 1788 wrote to memory of 1636	1788	BOQ-523-2022 R01.pdf.exe	36
PID 1788 wrote to memory of 1636	1788	BOQ-523-2022 R01.pdf.exe	36
PID 1636 wrote to memory of 1964	1636	BOQ-523-2022 R01.pdf.exe	37
PID 1636 wrote to memory of 1964	1636	BOQ-523-2022 R01.pdf.exe	37
PID 1636 wrote to memory of 1964	1636	BOQ-523-2022 R01.pdf.exe	37
PID 1636 wrote to memory of 1964	1636	BOQ-523-2022 R01.pdf.exe	37
PID 1964 wrote to memory of 1524	1964	BOQ-523-2022 R01.pdf.exe	38
PID 1964 wrote to memory of 1524	1964	BOQ-523-2022 R01.pdf.exe	38
PID 1964 wrote to memory of 1524	1964	BOQ-523-2022 R01.pdf.exe	38
PID 1964 wrote to memory of 1524	1964	BOQ-523-2022 R01.pdf.exe	38
PID 1524 wrote to memory of 2020	1524	BOQ-523-2022 R01.pdf.exe	39
PID 1524 wrote to memory of 2020	1524	BOQ-523-2022 R01.pdf.exe	39
PID 1524 wrote to memory of 2020	1524	BOQ-523-2022 R01.pdf.exe	39
PID 1524 wrote to memory of 2020	1524	BOQ-523-2022 R01.pdf.exe	39

C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOQ-523-2022 R01.pdf.exe"
        13⤵
        
        PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-79-0x0000000000390000-0x00000000003BC000-memory.dmp

Filesize
176KB

Download
memory/484-59-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/660-63-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/796-71-0x00000000003B0000-0x00000000003DC000-memory.dmp

Filesize
176KB

Download
memory/852-83-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/1244-55-0x00000000004C0000-0x00000000004EC000-memory.dmp

Filesize
176KB

Download
memory/1244-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1524-99-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1548-75-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/1636-91-0x0000000000330000-0x000000000035C000-memory.dmp

Filesize
176KB

Download
memory/1964-95-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download