modiloader | c1d7550d1cfee7c4dd1eb1a1d9bb711355d44cd0609cf4f50dbdcebb0a7285fa

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-04-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT/IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe
Size

1.4MB
MD5

5d640e845ee35e1ebdd91fd9ae93c80d
SHA1

7f16c1d10b622f8d9e9f9a3e851a24b14759b8e2
SHA256

769ac6fd667c5fd54ff9f4e9476cb54aa7844d19d4551f5b9f415780ddeb3b1d
SHA512

fc9b2681285839a2cb70a558dd4ffaa1d8a5e111087771a7997df9bb5a4f4cf27d049378d1ef1155e1b9476b755d1d9abd8a994bff3ebcda7ef3845181a75aee
SSDEEP

24576:ezhCv4xm8E+fEc6ta2SAaQBn2NDld56BeKwjYq897JoVCu:ezZUaQB2xh6BhwjYL97Lu

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-54-0x00000000034E0000-0x00000000035C1000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wmtvfogh = "C:\\Users\\Public\\Libraries\\hgofvtmW.url"	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

pid process

1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

pid	process
1720	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe

description	pid	process	target process
PID 1720 wrote to memory of 1320	1720	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe	wscript.exe
PID 1720 wrote to memory of 1320	1720	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe	wscript.exe
PID 1720 wrote to memory of 1320	1720	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe	wscript.exe
PID 1720 wrote to memory of 1320	1720	IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\wscript.exe
C:\Windows\System32\wscript.exe
2⤵
PID:1320

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x00000000034E0000-0x00000000035C1000-memory.dmp

Filesize
900KB

Download
memory/1720-56-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1720-57-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1720-60-0x0000000030590000-0x0000000030649000-memory.dmp

Filesize
740KB

Download
memory/1720-61-0x0000000030590000-0x0000000030649000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads