modiloader | b88e4df360ffe7ca76f3993cd0a0caeffea622e1dfeb114a51c3d301bcf90f09

Analysis

max time kernel
51s
max time network
110s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe
Size

37.2MB
MD5

cf88f8e774757b2fe4f478b80d8a7855
SHA1

5679c77c5b4e6e8fcac610aff7d47e58356dc63f
SHA256

fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434
SHA512

3af591b00a2e60e79b7d148898c2bd13bb03d695378930ced8e55e1e5589a89f28b461377486f8272fc663227830b56fccd2843a0581bc55317948868ef7035b
SSDEEP

12288:Cb8A+lyMML0gN55kXFyqf0bGBvGoE3IhAf1nAhglR:C4ZzML0gN5WXFaK9GoEHf1nAhglR

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-54-0x0000000000290000-0x00000000002BC000-memory.dmp	modiloader_stage2

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1236 2008 WerFault.exe fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe

pid	pid_target	process	target process
1236	2008	WerFault.exe	fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE
Token: 33	1744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1744	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe

description	pid	process	target process
PID 2008 wrote to memory of 1236	2008	fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe	WerFault.exe
PID 2008 wrote to memory of 1236	2008	fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe	WerFault.exe
PID 2008 wrote to memory of 1236	2008	fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe	WerFault.exe
PID 2008 wrote to memory of 1236	2008	fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe
"C:\Users\Admin\AppData\Local\Temp\fc137b673379a46d1a48945e7616e4ad607dfbd1f9778847ed2b4a78f52c9434.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1504
2⤵
- Program crash
PID:1236

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-54-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2008-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-57-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2008-58-0x0000000000680000-0x0000000000697000-memory.dmp

Filesize
92KB

Download
memory/2008-59-0x0000000002170000-0x0000000002186000-memory.dmp

Filesize
88KB

Download
memory/2008-60-0x0000000003700000-0x000000000373B000-memory.dmp

Filesize
236KB

Download
memory/2008-61-0x0000000003450000-0x000000000345E000-memory.dmp

Filesize
56KB

Download
memory/2008-62-0x0000000003D80000-0x0000000003DDA000-memory.dmp

Filesize
360KB

Download
memory/2008-63-0x0000000003DE0000-0x0000000003DF0000-memory.dmp

Filesize
64KB

Download
memory/2008-64-0x0000000003E00000-0x0000000003E0D000-memory.dmp

Filesize
52KB

Download
memory/2008-65-0x0000000003E20000-0x0000000003E32000-memory.dmp

Filesize
72KB

Download
memory/2008-66-0x0000000003E60000-0x0000000003E98000-memory.dmp

Filesize
224KB

Download
memory/2008-67-0x0000000003F20000-0x0000000003F5A000-memory.dmp

Filesize
232KB

Download
memory/2008-68-0x0000000003F60000-0x0000000003F98000-memory.dmp

Filesize
224KB

Download
memory/2008-69-0x00000000040F0000-0x0000000004107000-memory.dmp

Filesize
92KB

Download
memory/2008-70-0x0000000004110000-0x000000000414D000-memory.dmp

Filesize
244KB

Download
memory/2008-71-0x0000000004150000-0x0000000004166000-memory.dmp

Filesize
88KB

Download
memory/2008-72-0x0000000004170000-0x000000000418C000-memory.dmp

Filesize
112KB

Download
memory/2008-73-0x00000000042E0000-0x0000000004338000-memory.dmp

Filesize
352KB

Download
memory/2008-74-0x0000000004340000-0x000000000438F000-memory.dmp

Filesize
316KB

Download
memory/2008-85-0x00000000046B0000-0x00000000046C5000-memory.dmp

Filesize
84KB

Download
memory/2008-86-0x00000000046D0000-0x00000000046DE000-memory.dmp

Filesize
56KB

Download