modiloader | 9a9d9ef9de8b0cf028695e63c50f3058967269d84ed76031443df89c88dd041b

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 13:25

Target

755a5deec10631248bd51f61fa083218d4357bd7aa1f168b41cd301ac7e42613.exe
Size

1.3MB
MD5

a484c9ec54ffd544a95dfa92dd0a7bb4
SHA1

f6e25f9390e78ec07950a5145a77281c640b6319
SHA256

755a5deec10631248bd51f61fa083218d4357bd7aa1f168b41cd301ac7e42613
SHA512

4800bb2f6d4450e9f0157d9577df56774456a5714b81cdb5a8efcc042e9229eac54a9fde094d236b40d16c3e7f67f081595e664899de12e9d7fb567d1847780a
SSDEEP

12288:qG6bpHk8Sy5k/fyWUzCKlnwtZ0KOKyPVHGCZvOtcUcMe2ZASsKySOVgAiklqU:qGM3q/fy6BzOV1jAZA75Srklq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1256-133-0x00000000042D0000-0x00000000042FC000-memory.dmp	modiloader_stage2

Drops file in System32 directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{52B06B4E-ADEA-4393-A8F2-C2427F4D6935}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4444

C:\Users\Admin\AppData\Local\Temp\755a5deec10631248bd51f61fa083218d4357bd7aa1f168b41cd301ac7e42613.exe
"C:\Users\Admin\AppData\Local\Temp\755a5deec10631248bd51f61fa083218d4357bd7aa1f168b41cd301ac7e42613.exe"
1⤵
PID:1256

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\wsu5714.tmp
Filesize
36KB

MD5
761388ca8095173f6963b1d23ad8a68b

SHA1
41e2693d0efc36cb0b97ea215d554932c46464ab

SHA256
369a2323cb569b44970884d5af3d70e38c9cfb59a54d929fabb51ba46593aa06

SHA512
2db4576927b4325dc51ce1755d55b00f7153a10424ca79fb7f32f8c92a5dec899c3961b44a15a129f1e5234b53a89c8946192703b88b10e70e86670e5831ebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuACD8.tmp
Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat
Filesize
66KB

MD5
109d4763efcfcd0d060e7091c56b4576

SHA1
2105c2ec90dd79d0704a4d2acae3f5b76841a879

SHA256
559197aafbff4de8c9998324fd78d5556765e47bce23cea49bfa910afdc165b1

SHA512
bfae30b843fed888e7533ac61da9abfb9649b3ec06275db892461836f998954cec6928dc52e5430b018e33253530c60cf646648700c59d521199bf6c2e651e80

Download Submit
memory/1256-133-0x00000000042D0000-0x00000000042FC000-memory.dmp

Filesize
176KB

Download
memory/1256-135-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1256-136-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download