modiloader | 57d8f1fc9acb8ec46c3b26b70ad5e1b36479d28ff359a03d1fa998b59f0b2a88

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 16:10

Target

050b42da60a781a88c4c8afee5693db2.exe
Size

383KB
MD5

050b42da60a781a88c4c8afee5693db2
SHA1

96e14f7c114cfaa716ec1b2a54a86008cbec2b79
SHA256

57d8f1fc9acb8ec46c3b26b70ad5e1b36479d28ff359a03d1fa998b59f0b2a88
SHA512

5f3307ac26253e4ff6d97c00de34db89d7ee9c209a63762fd80a5b24221703b0b69b59fb6409e0a3532377f9847e627c728fcca2377cbc75824accd83a6aaa8a
SSDEEP

6144:03DAf8EvG10uPFmdm8lSz+DicdIgI+82aUIFdzvAzKpkYQwJLePcmcxof1eQEr:cDAfRGSucdmQZIt+8ZXAm2YHLYcmcxo+

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3984-15-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral2/memory/4572-16-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3984	Server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\_Server.exe	Server.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Server.exe	050b42da60a781a88c4c8afee5693db2.exe
File opened for modification	C:\Program Files\Server.exe	050b42da60a781a88c4c8afee5693db2.exe
File created	C:\Program Files\Delet.bat	050b42da60a781a88c4c8afee5693db2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3984	4572	050b42da60a781a88c4c8afee5693db2.exe	90
PID 4572 wrote to memory of 3984	4572	050b42da60a781a88c4c8afee5693db2.exe	90
PID 4572 wrote to memory of 3984	4572	050b42da60a781a88c4c8afee5693db2.exe	90
PID 3984 wrote to memory of 4060	3984	Server.exe	91
PID 3984 wrote to memory of 4060	3984	Server.exe	91
PID 3984 wrote to memory of 4060	3984	Server.exe	91
PID 3984 wrote to memory of 2544	3984	Server.exe	92
PID 3984 wrote to memory of 2544	3984	Server.exe	92
PID 4572 wrote to memory of 1452	4572	050b42da60a781a88c4c8afee5693db2.exe	93
PID 4572 wrote to memory of 1452	4572	050b42da60a781a88c4c8afee5693db2.exe	93
PID 4572 wrote to memory of 1452	4572	050b42da60a781a88c4c8afee5693db2.exe	93

C:\Users\Admin\AppData\Local\Temp\050b42da60a781a88c4c8afee5693db2.exe
"C:\Users\Admin\AppData\Local\Temp\050b42da60a781a88c4c8afee5693db2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files\Server.exe
  "C:\Program Files\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4060
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Delet.bat""
  2⤵
  PID:1452

C:\Program Files\Delet.bat

Filesize
184B

MD5
5e91bc4496ff05aeef861babfa6b2dbf

SHA1
4aa865025730d36dbed0df654ad13eaea5a5d146

SHA256
df30d68228d05e8fe15fb1962f19bfe68a60d20dc5d3a8d414d9c947bca33c6c

SHA512
6504b195c69219161a6b570edc01f29aa0c45dcaafc8ad7a3fd2601cb29bac80b69e32fd9b3857f16501b81b346ca2be41dda7585547308182f980bc416407b3

Download Submit
C:\Program Files\Server.exe

Filesize
383KB

MD5
050b42da60a781a88c4c8afee5693db2

SHA1
96e14f7c114cfaa716ec1b2a54a86008cbec2b79

SHA256
57d8f1fc9acb8ec46c3b26b70ad5e1b36479d28ff359a03d1fa998b59f0b2a88

SHA512
5f3307ac26253e4ff6d97c00de34db89d7ee9c209a63762fd80a5b24221703b0b69b59fb6409e0a3532377f9847e627c728fcca2377cbc75824accd83a6aaa8a

Download Submit
memory/3984-10-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3984-15-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4060-12-0x0000000000B60000-0x0000000000B60000-memory.dmp

Download
memory/4572-0-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4572-1-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4572-2-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4572-16-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download